mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 18:36:10 +00:00
Privileged File Delete
This commit is contained in:
parent
46208ca898
commit
d80068cc1b
@ -26,10 +26,14 @@
|
|||||||
- [streaak/keyhacks](https://github.com/streaak/keyhacks) - is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid
|
- [streaak/keyhacks](https://github.com/streaak/keyhacks) - is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid
|
||||||
- [trufflesecurity/truffleHog](https://github.com/trufflesecurity/truffleHog) - Find credentials all over the place
|
- [trufflesecurity/truffleHog](https://github.com/trufflesecurity/truffleHog) - Find credentials all over the place
|
||||||
```ps1
|
```ps1
|
||||||
docker run -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --repo https://github.com/trufflesecurity/test_keys
|
## Scan a Github Organization
|
||||||
docker run -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --org=trufflesecurity
|
docker run --rm -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --org=trufflesecurity
|
||||||
trufflehog git https://github.com/trufflesecurity/trufflehog.git
|
|
||||||
trufflehog github --endpoint https://api.github.com --org trufflesecurity --token GITHUB_TOKEN --debug --concurrency 2
|
## Scan a GitHub Repository, its Issues and Pull Requests
|
||||||
|
docker run --rm -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --repo https://github.com/trufflesecurity/test_keys --issue-comments --pr-comments
|
||||||
|
|
||||||
|
## Scan a Docker image for verified secrets
|
||||||
|
docker run --rm -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest docker --image trufflesecurity/secrets
|
||||||
```
|
```
|
||||||
- [aquasecurity/trivy](https://github.com/aquasecurity/trivy) - General purpose vulnerability and misconfiguration scanner which also searches for API keys/secrets
|
- [aquasecurity/trivy](https://github.com/aquasecurity/trivy) - General purpose vulnerability and misconfiguration scanner which also searches for API keys/secrets
|
||||||
- [projectdiscovery/nuclei-templates](https://github.com/projectdiscovery/nuclei-templates) - Use these templates to test an API token against many API service endpoints
|
- [projectdiscovery/nuclei-templates](https://github.com/projectdiscovery/nuclei-templates) - Use these templates to test an API token against many API service endpoints
|
||||||
@ -56,7 +60,7 @@ Use : https://github.com/ozguralp/gmapsapiscanner/
|
|||||||
|
|
||||||
Usage:
|
Usage:
|
||||||
| Name | Endpoint |
|
| Name | Endpoint |
|
||||||
| --- | --- |
|
| --------------------- | --- |
|
||||||
| Static Maps | https://maps.googleapis.com/maps/api/staticmap?center=45%2C10&zoom=7&size=400x400&key=KEY_HERE |
|
| Static Maps | https://maps.googleapis.com/maps/api/staticmap?center=45%2C10&zoom=7&size=400x400&key=KEY_HERE |
|
||||||
| Streetview | https://maps.googleapis.com/maps/api/streetview?size=400x400&location=40.720032,-73.988354&fov=90&heading=235&pitch=10&key=KEY_HERE |
|
| Streetview | https://maps.googleapis.com/maps/api/streetview?size=400x400&location=40.720032,-73.988354&fov=90&heading=235&pitch=10&key=KEY_HERE |
|
||||||
| Embed | https://www.google.com/maps/embed/v1/place?q=place_id:ChIJyX7muQw8tokR2Vf5WBBk1iQ&key=KEY_HERE |
|
| Embed | https://www.google.com/maps/embed/v1/place?q=place_id:ChIJyX7muQw8tokR2Vf5WBBk1iQ&key=KEY_HERE |
|
||||||
|
@ -238,3 +238,5 @@ A valid PHAR includes four elements:
|
|||||||
* [How to exploit the PHAR Deserialization Vulnerability - Alexandru Postolache - May 29, 2020](https://pentest-tools.com/blog/exploit-phar-deserialization-vulnerability/)
|
* [How to exploit the PHAR Deserialization Vulnerability - Alexandru Postolache - May 29, 2020](https://pentest-tools.com/blog/exploit-phar-deserialization-vulnerability/)
|
||||||
* [phar:// deserialization - HackTricks](https://book.hacktricks.xyz/pentesting-web/file-inclusion/phar-deserialization)
|
* [phar:// deserialization - HackTricks](https://book.hacktricks.xyz/pentesting-web/file-inclusion/phar-deserialization)
|
||||||
* [Finding PHP Serialization Gadget Chain - DG'hAck Unserial killer - Aug 11, 2022 - xanhacks](https://www.xanhacks.xyz/p/php-gadget-chain/#introduction)
|
* [Finding PHP Serialization Gadget Chain - DG'hAck Unserial killer - Aug 11, 2022 - xanhacks](https://www.xanhacks.xyz/p/php-gadget-chain/#introduction)
|
||||||
|
* [FINDING A POP CHAIN ON A COMMON SYMFONY BUNDLE: PART 1 - Rémi Matasse - 12/09/2023](https://www.synacktiv.com/publications/finding-a-pop-chain-on-a-common-symfony-bundle-part-1)
|
||||||
|
* [FINDING A POP CHAIN ON A COMMON SYMFONY BUNDLE: PART 2 - Rémi Matasse - 11/10/2023](https://www.synacktiv.com/publications/finding-a-pop-chain-on-a-common-symfony-bundle-part-2)
|
@ -54,6 +54,7 @@
|
|||||||
* [UsoDLLLoader](#usodllloader)
|
* [UsoDLLLoader](#usodllloader)
|
||||||
* [WerTrigger](#wertrigger)
|
* [WerTrigger](#wertrigger)
|
||||||
* [WerMgr](#wermgr)
|
* [WerMgr](#wermgr)
|
||||||
|
* [EoP - Privileged File Delete](#eop---privileged-file-delete)
|
||||||
* [EoP - Common Vulnerabilities and Exposures](#eop---common-vulnerabilities-and-exposure)
|
* [EoP - Common Vulnerabilities and Exposures](#eop---common-vulnerabilities-and-exposure)
|
||||||
* [MS08-067 (NetAPI)](#ms08-067-netapi)
|
* [MS08-067 (NetAPI)](#ms08-067-netapi)
|
||||||
* [MS10-015 (KiTrap0D)](#ms10-015-kitrap0d---microsoft-windows-nt2000--2003--2008--xp--vista--7)
|
* [MS10-015 (KiTrap0D)](#ms10-015-kitrap0d---microsoft-windows-nt2000--2003--2008--xp--vista--7)
|
||||||
@ -1325,6 +1326,27 @@ If we found a privileged file write vulnerability in Windows or in some third-pa
|
|||||||
5. Enjoy a shell as **NT AUTHORITY\SYSTEM**
|
5. Enjoy a shell as **NT AUTHORITY\SYSTEM**
|
||||||
|
|
||||||
|
|
||||||
|
## EoP - Privileged File Delete
|
||||||
|
|
||||||
|
During an MSI installation, the Windows Installer service maintains a record of every changes in case it needs to be rolled back, to do that it will create:
|
||||||
|
|
||||||
|
* a folder at `C:\Config.Msi` containing
|
||||||
|
* a rollback script (`.rbs`)
|
||||||
|
* a rollback file (`.rbf`)
|
||||||
|
|
||||||
|
To convert a privileged file delete to a local privilege escalation, you need to abuse the Windows Installer service.
|
||||||
|
* delete the protected `C:\Config.Msi` folder immediately after it's created by the Windows Installer
|
||||||
|
* recreate the `C:\Config.Msi` folder with weak DACL permissions since ordinary users are allowed to create folders at the root of `C:\`.
|
||||||
|
* drop malicious `.rbs` and `.rbf` files into it to be executed by the MSI rollback
|
||||||
|
* then upon rollback, Windows Installer will make arbitrary changes to the system
|
||||||
|
|
||||||
|
The easiest way to trigger this chain is using [thezdi/FilesystemEoPs/FolderOrFileDeleteToSystem](https://github.com/thezdi/PoC/tree/master/FilesystemEoPs/FolderOrFileDeleteToSystem).
|
||||||
|
The exploit contains a .msi file with 2 actions, the first one produces a delay and the second throws an error to make it rollback. This rollback will "restore" a malicious HID.dll in `C:\Program Files\Common Files\microsoft shared\ink\HID.dll`.
|
||||||
|
|
||||||
|
Then switch to the secure desktop using `[CTRL]+[ALT]+[DELETE]` and open the On-Screen Keyboard (`osk.exe`).
|
||||||
|
The `osk.exe` process first looks for the `C:\Program Files\Common Files\microsoft shared\ink\HID.dll` library instead of `C:\Windows\System32\HID.dll`
|
||||||
|
|
||||||
|
|
||||||
## EoP - Common Vulnerabilities and Exposure
|
## EoP - Common Vulnerabilities and Exposure
|
||||||
|
|
||||||
### MS08-067 (NetAPI)
|
### MS08-067 (NetAPI)
|
||||||
@ -1494,3 +1516,5 @@ Detailed information about the vulnerability : https://www.zerodayinitiative.com
|
|||||||
* [MSIFortune - LPE with MSI Installers - Oct 3, 2023 - PfiatDe](https://badoption.eu/blog/2023/10/03/MSIFortune.html)
|
* [MSIFortune - LPE with MSI Installers - Oct 3, 2023 - PfiatDe](https://badoption.eu/blog/2023/10/03/MSIFortune.html)
|
||||||
* [MSI Shenanigans. Part 1 – Offensive Capabilities Overview - DECEMBER 8, 2022 - Mariusz Banach](https://mgeeky.tech/msi-shenanigans-part-1/)
|
* [MSI Shenanigans. Part 1 – Offensive Capabilities Overview - DECEMBER 8, 2022 - Mariusz Banach](https://mgeeky.tech/msi-shenanigans-part-1/)
|
||||||
* [Escalating Privileges via Third-Party Windows Installers - ANDREW OLIVEAU - JUL 19, 2023](https://www.mandiant.com/resources/blog/privileges-third-party-windows-installers)
|
* [Escalating Privileges via Third-Party Windows Installers - ANDREW OLIVEAU - JUL 19, 2023](https://www.mandiant.com/resources/blog/privileges-third-party-windows-installers)
|
||||||
|
* [Deleting Your Way Into SYSTEM: Why Arbitrary File Deletion Vulnerabilities Matter - ANDREW OLIVEAU - SEP 11, 2023](https://www.mandiant.com/resources/blog/arbitrary-file-deletion-vulnerabilities)
|
||||||
|
* [ABUSING ARBITRARY FILE DELETES TO ESCALATE PRIVILEGE AND OTHER GREAT TRICKS - Simon Zuckerbraun - March 17, 2022 ](https://www.zerodayinitiative.com/blog/2022/3/16/abusing-arbitrary-file-deletes-to-escalate-privilege-and-other-great-tricks)
|
Loading…
Reference in New Issue
Block a user